Platform
php
Component
avideo
Fixed in
26.0.1
CVE-2026-39370 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo, an open-source video platform. This flaw allows authenticated uploaders to bypass SSRF validation and potentially exfiltrate sensitive data. The vulnerability impacts versions 0.0.0 up to and including 26.0, but is resolved in version 26.1.
An attacker exploiting this SSRF vulnerability can leverage the upload-by-URL feature to exfiltrate data from internal services or external resources that AVideo has access to. By crafting malicious downloadURL values with common media extensions (e.g., .mp4, .zip), the attacker can trick the server into fetching and storing responses as media content. This effectively turns the upload process into a covert channel for data exfiltration. The potential impact includes exposure of internal network configurations, sensitive data stored in internal databases, or even unauthorized access to external resources.
This vulnerability was publicly disclosed on 2026-04-07. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. The vulnerability builds upon an incomplete fix for CVE-2026-27732, highlighting the importance of thorough testing after security patches.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-39370 is to upgrade AVideo to version 26.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting network access for the AVideo server to only necessary resources, implementing strict input validation on the downloadURL parameter to prevent malicious characters or unexpected extensions, and monitoring AVideo logs for suspicious activity. After upgrading, confirm the fix by attempting an upload with a known malicious URL and verifying that the server does not fetch the response.
Update AVideo to version 26.1 or higher to mitigate the SSRF vulnerability. The update corrects a flaw in download URL validation that allowed attackers to exfiltrate internal responses.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39370 is a Server-Side Request Forgery vulnerability in AVideo versions 0.0.0 through 26.0, allowing attackers to exfiltrate data via the upload-by-URL feature.
You are affected if you are running AVideo versions 0.0.0 through 26.0. Upgrade to version 26.1 or later to mitigate the risk.
Upgrade AVideo to version 26.1 or later. As a temporary workaround, restrict network access and implement strict input validation on the downloadURL parameter.
There is currently no evidence of active exploitation, but the vulnerability is considered exploitable and could be targeted in the future.
Refer to the AVideo project's official website and security advisories for the latest information and updates regarding CVE-2026-39370.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.