CVE-2026-27732
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Description
### Vulnerability Type Authenticated Server-Side Request Forgery (SSRF) ### Affected Product/Versions AVideo versions prior to 22 (tested on AVideo 21.x). ### Root Cause Summary The `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). ### Impact Summary An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. ### Resolution/Fix This issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible. ### Credits/Acknowledgement Thanks to Arkadiusz Marta for responsibly reporting this issue. - GitHub Profile: https://github.com/arkmarta/
How to fix CVE-2026-27732
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-27732 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 21.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |