Platform
php
Component
wwbn/avideo
Fixed in
22.0.1
21.0.1
CVE-2026-27732 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the AVideo Encoder API. This vulnerability allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing sensitive internal data. The vulnerability affects AVideo versions prior to 22.0. A fix is available in version 22.0.
The SSRF vulnerability in AVideo's aVideoEncoder.json.php API endpoint arises from insufficient validation of the downloadURL parameter. An authenticated attacker can exploit this by providing a malicious URL, causing the server to make requests to arbitrary destinations, including internal network endpoints. This could lead to the retrieval of sensitive data from internal services, potentially exposing credentials, configuration files, or other confidential information. The attacker's ability to interact with internal services significantly expands the potential blast radius of this vulnerability.
CVE-2026-27732 was publicly disclosed on 2026-02-25. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. The CVSS score of 8.1 (HIGH) reflects the potential impact of data exposure and internal service interaction.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27732 is to upgrade to AVideo version 22.0 or later, which includes the necessary input validation to prevent SSRF attacks. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to block requests with suspicious URLs. Additionally, consider implementing stricter input validation on the downloadURL parameter, enforcing an allow-list of permitted domains or protocols. After upgrading, confirm the fix by attempting to trigger an SSRF request with a known malicious URL; the request should be blocked.
Update AVideo to version 22.0 or higher. This version contains the fix for the SSRF vulnerability. The update can be performed through the administration panel or by downloading the latest version of the software from the official website and following the update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27732 is a HIGH severity SSRF vulnerability affecting AVideo versions prior to 22.0. It allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing internal data.
You are affected if you are using AVideo versions 21.0.0 or earlier. Upgrade to version 22.0 to resolve the vulnerability.
Upgrade to AVideo version 22.0. As a temporary workaround, implement a WAF rule to block suspicious URLs or enforce stricter input validation on the downloadURL parameter.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official AVideo security advisory for detailed information and updates: [https://www.avideo.com/security/advisories](https://www.avideo.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.