{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39370/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-27732"},{"cvss":7.1,"id":"CVE-2026-39370"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","avideo","cve-2026-39370"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo, a video-sharing platform, is susceptible to Server-Side Request Forgery (SSRF) vulnerability due to an incomplete patch for CVE-2026-27732. The vulnerability exists in the \u003ccode\u003eobjects/aVideoEncoder.json.php\u003c/code\u003e script. An authenticated uploader can provide a malicious \u003ccode\u003edownloadURL\u003c/code\u003e containing a common media extension like \u003ccode\u003e.mp4\u003c/code\u003e, \u003ccode\u003e.jpg\u003c/code\u003e, \u003ccode\u003e.gif\u003c/code\u003e, or \u003ccode\u003e.zip\u003c/code\u003e, bypassing SSRF validation. This allows the attacker to force the server to fetch internal resources. The server fetches the specified URL using \u003ccode\u003eurl_get_contents()\u003c/code\u003e, stores the response as media content, and makes it accessible through the \u003ccode\u003e/videos/...\u003c/code\u003e endpoint. This vulnerability, identified as CVE-2026-39370, affects AVideo versions 26.0 and earlier. Exploitation enables exfiltration of sensitive data from internal APIs and services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs in as a low-privilege authenticated user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003edownloadURL\u003c/code\u003e pointing to an internal resource (e.g., \u003ccode\u003ehttp://127.0.0.1:9998/probe.mp4\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/objects/aVideoEncoder.json.php\u003c/code\u003e with the \u003ccode\u003edownloadURL\u003c/code\u003e and a valid \u003ccode\u003eformat\u003c/code\u003e parameter (e.g., \u003ccode\u003emp4\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAVideo\u0026rsquo;s \u003ccode\u003edownloadVideoFromDownloadURL()\u003c/code\u003e function extracts the extension and incorrectly skips \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e validation due to the allowlisted extension.\u003c/li\u003e\n\u003cli\u003eThe server fetches the content from the attacker-controlled \u003ccode\u003edownloadURL\u003c/code\u003e using \u003ccode\u003eurl_get_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe fetched content is written into video storage.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the media metadata using \u003ccode\u003eGET /objects/videos.json.php?showAll=1\u003c/code\u003e to obtain the \u003ccode\u003evideosURL.mp4.url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the media URL and recovers the content from the internal resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated uploader to force the AVideo server to fetch internal resources and persist the response as media content. This Server-Side Request Forgery (SSRF) vulnerability allows internal response exfiltration from private APIs, admin endpoints, or other internal services reachable from the application host. The number of potential victims is related to the installations of AVideo with versions less than or equal to 26.0, and the sectors primarily affected are likely media and entertainment, as well as organizations utilizing AVideo for internal video hosting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e to all \u003ccode\u003edownloadURL\u003c/code\u003e inputs in \u003ccode\u003eobjects/aVideoEncoder.json.php\u003c/code\u003e, regardless of file extension to remediate CVE-2026-39370.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AVideo SSRF Attempt via DownloadURL\u0026rdquo; to identify potential exploitation attempts based on requests to \u003ccode\u003e/objects/aVideoEncoder.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict upload-by-URL functionality to an explicit allowlist of trusted fetch origins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:08:47Z","date_published":"2026-04-08T00:08:47Z","id":"/briefs/2026-04-avideo-ssrf/","summary":"WWBN AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix for CVE-2026-27732, allowing authenticated uploaders to bypass SSRF protection by providing a `downloadURL` with a common media extension, leading to internal response exfiltration.","title":"WWBN AVideo SSRF Vulnerability via Incomplete CVE-2026-27732 Fix","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39370","version":"https://jsonfeed.org/version/1.1"}