Plattform
php
Komponente
wwbn/avideo
Behoben in
22.0.1
21.0.1
CVE-2026-27732 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the AVideo Encoder API. This vulnerability allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing sensitive internal data. The vulnerability affects AVideo versions prior to 22.0. A fix is available in version 22.0.
The SSRF vulnerability in AVideo’s aVideoEncoder.json.php API endpoint allows an authenticated attacker to bypass security controls and interact with internal services. By manipulating the downloadURL parameter, an attacker can instruct the server to fetch resources from any URL, including internal network endpoints that are not directly accessible from the outside. This could lead to the exposure of sensitive data stored on internal servers, such as configuration files, database credentials, or even proprietary code. The potential for lateral movement within the internal network is significant, as the attacker can use the compromised server as a proxy to scan and exploit other internal systems. The blast radius extends to any internal resource accessible via HTTP or HTTPS from the AVideo server.
CVE-2026-27732 was publicly disclosed on 2026-02-25. There is no indication of this vulnerability being actively exploited at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not widely available, but the SSRF nature of the vulnerability makes it likely that exploits will emerge if the vulnerability remains unpatched.
Organizations utilizing AVideo versions prior to 22.0, particularly those with internal services accessible via the network, are at risk. Shared hosting environments where multiple users share the same AVideo instance are also particularly vulnerable, as a compromised user account could be leveraged to exploit the SSRF vulnerability.
• php: Examine access logs for requests to aVideoEncoder.json.php with unusual or unexpected downloadURL parameters. Look for URLs pointing to internal IP addresses or non-standard ports.
grep 'aVideoEncoder.json.php' access.log | grep 'downloadURL='• generic web: Use curl to test the endpoint with a known internal URL and verify that the request is blocked.
curl -v 'http://<avideo_server>/aVideoEncoder.json.php?downloadURL=http://169.254.169.254/mgmt/inventory' • generic web: Check response headers for unexpected content types or error messages indicating an internal server error when attempting an SSRF request.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27732 is to upgrade AVideo to version 22.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, implement temporary workarounds to reduce the risk. Deploy a Web Application Firewall (WAF) with rules to block requests containing suspicious URLs or patterns in the downloadURL parameter. Restrict network access to the AVideo server, limiting its ability to connect to internal resources. Implement strict input validation on the downloadURL parameter, enforcing an allow-list of permitted domains or protocols. After upgrading, confirm the fix by attempting to trigger an SSRF request with a known malicious URL and verifying that it is blocked.
Aktualisieren Sie AVideo auf Version 22.0 oder höher. Diese Version enthält die Korrektur für die SSRF-Vulnerabilität. Das Update kann über das Administrationspanel durchgeführt oder die neueste Version der Software von der offiziellen Website heruntergeladen und die Update-Anweisungen befolgt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27732 is a HIGH severity SSRF vulnerability affecting AVideo versions prior to 22.0. It allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing internal data.
You are affected if you are using AVideo versions 21.0.0 or earlier. Upgrade to version 22.0 to resolve the vulnerability.
Upgrade to AVideo version 22.0. As a temporary workaround, implement a WAF rule to block suspicious URLs or enforce stricter input validation on the downloadURL parameter.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official AVideo security advisory for detailed information and updates: [https://www.avideo.com/security/advisories](https://www.avideo.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.