CVE-2026-39370 | THREATINT

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-07 | Updated 2026-04-08 | Assigner GitHub_M

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

<= 26.0

affected

References

github.com/...AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9 exploit

github.com/...AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9

cve.org (CVE-2026-39370)

nvd.nist.gov (CVE-2026-39370)

Download JSON