WWBN AVideo, an open-source video platform, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-27732, classified under CWE-918. The flaw resides in the aVideoEncoder.json.php API endpoint, which accepts a downloadURL parameter that is used to fetch external resources server-side. Prior to version 22.0, this parameter is not properly validated or restricted via an allow-list, allowing authenticated users to supply arbitrary URLs. This enables attackers to coerce the server into making HTTP requests to internal or external systems on their behalf. Such SSRF attacks can be leveraged to access internal services that are otherwise inaccessible externally, including internal APIs, metadata services, or administrative interfaces. Depending on the deployment environment, this can lead to sensitive data disclosure or serve as a pivot point for further network compromise. The vulnerability requires authentication but no additional privileges or user interaction, making exploitation relatively straightforward for legitimate users. The CVSS 4.0 base score is 8.6 (high severity), reflecting the significant confidentiality and integrity impact combined with ease of exploitation. No known exploits are currently reported in the wild. The vendor has addressed the issue in AVideo version 22.0 by implementing proper validation and allow-listing of URLs in the downloadURL parameter.

The SSRF vulnerability allows authenticated attackers to make arbitrary server-side HTTP requests, potentially accessing sensitive internal services that are not exposed externally. This can lead to unauthorized disclosure of confidential information such as internal APIs, metadata services, or other protected resources. In some environments, SSRF can be chained with other vulnerabilities to escalate privileges or execute remote code, increasing the risk of full system compromise. Organizations running affected versions of AVideo may face data breaches, service disruptions, or lateral movement within their networks. Since the flaw requires only authentication, any compromised or malicious user account can be leveraged to exploit this vulnerability. The impact is particularly severe in cloud or containerized deployments where metadata services contain critical credentials or configuration data. Overall, this vulnerability poses a significant risk to confidentiality and integrity of organizational assets.

1. Upgrade all AVideo instances to version 22.0 or later, where the vulnerability is patched. 2. If immediate upgrade is not feasible, restrict access to the aVideoEncoder.json.php API endpoint to trusted users only and monitor usage closely. 3. Implement network segmentation and firewall rules to limit the server's ability to make outbound requests to sensitive internal services or metadata endpoints. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SSRF patterns targeting the downloadURL parameter. 5. Conduct regular audits of user accounts and privileges to reduce the risk of compromised credentials being used for exploitation. 6. Review and harden internal services to require strong authentication and minimize sensitive data exposure. 7. Monitor logs for unusual server-side request activity originating from the AVideo server. 8. Educate administrators about SSRF risks and ensure secure coding practices for any custom integrations with AVideo.