CVE-2026-39370: WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)

April 8, 2026

The fix for CVE-2026-27732 is incomplete.

objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content.

This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9
github.com/advisories/GHSA-cmcr-q4jf-p6q9
nvd.nist.gov/vuln/detail/CVE-2026-39370

Code Behaviors & Features

Detect and mitigate CVE-2026-39370 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →