AVideo Platform Hit by SSRF Vulnerability, Leaking Sensitive Data

CVE Notify is flagging a serious Server-Side Request Forgery (SSRF) vulnerability in the open-source WWBN AVideo platform. Affecting versions 26.0 and prior, the issue stems from an incomplete patch for a previous vulnerability, CVE-2026-27732. The vulnerability lies within objects/aVideoEncoder.json.php, where insufficient validation allows attackers to craft download URLs with common media or archive file extensions. This bypasses SSRF checks, enabling the server to fetch and store arbitrary content, effectively turning an upload-by-URL feature into a data exfiltration tool.

According to CVE Notify, an authenticated uploader can exploit this flaw to reliably extract sensitive server responses. By manipulating the downloadURL parameter, an attacker can trick the AVideo server into making requests to internal or external resources and then capture the responses. This could expose internal network information or other sensitive data that the server has access to, posing a significant risk to system integrity and data confidentiality.