CVE-2026-27732
HIGH8.1EPSS 0.04%AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Description
### Vulnerability Type Authenticated Server-Side Request Forgery (SSRF) ### Affected Product/Versions AVideo versions prior to 22 (tested on AVideo 21.x). ### Root Cause Summary The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). ### Impact Summary An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. ### Resolution/Fix This issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible. ### Credits/Acknowledgement Thanks to Arkadiusz Marta for responsibly reporting this issue. - GitHub Profile: https://github.com/arkmarta/
Affected packages (1)
- Packagist/wwbn/avideofrom 0, <= 21.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |