Main Vulnerability Database SB20260408172

SB20260408172 - Server-Side Request Forgery (SSRF) in AVideo

Published: April 8, 2026

Security Bulletin ID SB20260408172

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-27732)

The vulnerability allows a remote user to perform server-side requests to arbitrary URLs and disclose sensitive information.

The vulnerability exists due to server-side request forgery in aVideoEncoder.json.php when processing the downloadURL parameter. A remote user can supply a crafted URL to perform server-side requests to arbitrary URLs and disclose sensitive information.

The issue can be used to reach internal network endpoints, including internal APIs and metadata services.

Remediation

Install update from vendor's website.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6