Scan free
HIGHCVE-2026-27732CVSS 8.1

CVE-2026-27732: SSRF in AVideo Encoder API

Platform

php

Component

wwbn/avideo

Fixed in

22.0.1

21.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-27732 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the AVideo Encoder API. This vulnerability allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing sensitive internal data. The vulnerability affects AVideo versions prior to 22.0. A fix is available in version 22.0.

Impact and Attack Scenarios

The SSRF vulnerability in AVideo's aVideoEncoder.json.php API endpoint arises from insufficient validation of the downloadURL parameter. An authenticated attacker can exploit this by providing a malicious URL, causing the server to make requests to arbitrary destinations, including internal network endpoints. This could lead to the retrieval of sensitive data from internal services, potentially exposing credentials, configuration files, or other confidential information. The attacker's ability to interact with internal services significantly expands the potential blast radius of this vulnerability.

Exploitation Context

CVE-2026-27732 was publicly disclosed on 2026-02-25. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. The CVSS score of 8.1 (HIGH) reflects the potential impact of data exposure and internal service interaction.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N8.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentwwbn/avideo
Vendorosv
Affected rangeFixed in
< 22.0 – < 22.022.0.1
21.0.021.0.1

Package Information

Last updated
29.0recently

Weakness Classification (CWE)

CWE-918

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Patched -1 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-27732 is to upgrade to AVideo version 22.0 or later, which includes the necessary input validation to prevent SSRF attacks. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to block requests with suspicious URLs. Additionally, consider implementing stricter input validation on the downloadURL parameter, enforcing an allow-list of permitted domains or protocols. After upgrading, confirm the fix by attempting to trigger an SSRF request with a known malicious URL; the request should be blocked.

How to fix

Update AVideo to version 22.0 or higher. This version contains the fix for the SSRF vulnerability. The update can be performed through the administration panel or by downloading the latest version of the software from the official website and following the update instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27732 — SSRF in AVideo Encoder API?

CVE-2026-27732 is a HIGH severity SSRF vulnerability affecting AVideo versions prior to 22.0. It allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing internal data.

Am I affected by CVE-2026-27732 in AVideo Encoder API?

You are affected if you are using AVideo versions 21.0.0 or earlier. Upgrade to version 22.0 to resolve the vulnerability.

How do I fix CVE-2026-27732 in AVideo Encoder API?

Upgrade to AVideo version 22.0. As a temporary workaround, implement a WAF rule to block suspicious URLs or enforce stricter input validation on the downloadURL parameter.

Is CVE-2026-27732 being actively exploited?

There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.

Where can I find the official AVideo advisory for CVE-2026-27732?

Refer to the official AVideo security advisory for detailed information and updates: [https://www.avideo.com/security/advisories](https://www.avideo.com/security/advisories)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs