Plataforma
php
Componente
wwbn/avideo
Corregido en
22.0.1
21.0.1
CVE-2026-27732 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the AVideo Encoder API. This vulnerability allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing sensitive internal data. The vulnerability affects AVideo versions prior to 22.0. A fix is available in version 22.0.
The SSRF vulnerability in AVideo's aVideoEncoder.json.php API endpoint arises from insufficient validation of the downloadURL parameter. An authenticated attacker can exploit this by providing a malicious URL, causing the server to make requests to arbitrary destinations, including internal network endpoints. This could lead to the retrieval of sensitive data from internal services, potentially exposing credentials, configuration files, or other confidential information. The attacker's ability to interact with internal services significantly expands the potential blast radius of this vulnerability.
CVE-2026-27732 was publicly disclosed on 2026-02-25. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. The CVSS score of 8.1 (HIGH) reflects the potential impact of data exposure and internal service interaction.
Organizations utilizing AVideo versions prior to 22.0, particularly those with internal services accessible via the network, are at risk. Shared hosting environments where multiple users share the same AVideo instance are also particularly vulnerable, as a compromised user account could be leveraged to exploit the SSRF vulnerability.
• php: Examine access logs for requests to aVideoEncoder.json.php with unusual or unexpected downloadURL parameters. Look for URLs pointing to internal IP addresses or non-standard ports.
grep 'aVideoEncoder.json.php' access.log | grep 'downloadURL='• generic web: Use curl to test the endpoint with a known internal URL and verify that the request is blocked.
curl -v 'http://<avideo_server>/aVideoEncoder.json.php?downloadURL=http://169.254.169.254/mgmt/inventory' • generic web: Check response headers for unexpected content types or error messages indicating an internal server error when attempting an SSRF request.
disclosure
Estado del Exploit
EPSS
0.03% (9% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-27732 is to upgrade to AVideo version 22.0 or later, which includes the necessary input validation to prevent SSRF attacks. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to block requests with suspicious URLs. Additionally, consider implementing stricter input validation on the downloadURL parameter, enforcing an allow-list of permitted domains or protocols. After upgrading, confirm the fix by attempting to trigger an SSRF request with a known malicious URL; the request should be blocked.
Actualice AVideo a la versión 22.0 o superior. Esta versión contiene la corrección para la vulnerabilidad SSRF. La actualización se puede realizar a través del panel de administración o descargando la última versión del software desde el sitio web oficial y siguiendo las instrucciones de actualización.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-27732 is a HIGH severity SSRF vulnerability affecting AVideo versions prior to 22.0. It allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing internal data.
You are affected if you are using AVideo versions 21.0.0 or earlier. Upgrade to version 22.0 to resolve the vulnerability.
Upgrade to AVideo version 22.0. As a temporary workaround, implement a WAF rule to block suspicious URLs or enforce stricter input validation on the downloadURL parameter.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official AVideo security advisory for detailed information and updates: [https://www.avideo.com/security/advisories](https://www.avideo.com/security/advisories)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.