CVE-2026-27732: AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php

February 25, 2026

The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).

An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/384ef2548093f4cbb1bfac00f1f429fe57fab853
github.com/WWBN/AVideo/releases/tag/22.0
github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6
github.com/advisories/GHSA-h39h-7cvg-q7j6
nvd.nist.gov/vuln/detail/CVE-2026-27732

Code Behaviors & Features

Detect and mitigate CVE-2026-27732 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →