Main Vulnerability Database Vulnerabilities #VU125434

#VU125434 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-27732

Published: April 8, 2026

Vulnerability identifier: #VU125434

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-27732

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to perform server-side requests to arbitrary URLs and disclose sensitive information.

The vulnerability exists due to server-side request forgery in aVideoEncoder.json.php when processing the downloadURL parameter. A remote user can supply a crafted URL to perform server-side requests to arbitrary URLs and disclose sensitive information.

The issue can be used to reach internal network endpoints, including internal APIs and metadata services.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6

#VU125434 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-27732

Description

Remediation

External links

Please verify you're human