CVE-2026-39370: CWE-918: Server-Side Request Forgery (SSRF) in WWBN AVideo
CVE-2026-39370 is a Server-Side Request Forgery (SSRF) vulnerability in WWBN AVideo versions 26. 0 and earlier. The vulnerability arises because the application allows attacker-controlled downloadURL parameters with common media or archive file extensions to bypass SSRF validation. An authenticated uploader can exploit this to make the server fetch arbitrary URLs and store the response as media content. This issue is due to an incomplete fix for a previous SSRF vulnerability (CVE-2026-27732). The vulnerability has a high severity score of 7. 1 and impacts confidentiality but not availability or integrity.
AI Analysis
Technical Summary
WWBN AVideo, an open source video platform, contains an SSRF vulnerability in versions 26.0 and prior. The endpoint objects/aVideoEncoder.json.php accepts downloadURL parameters with extensions like .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm, which bypass SSRF validation. This allows an authenticated user to cause the server to fetch arbitrary URLs and save the fetched content as media, effectively enabling SSRF response exfiltration. The vulnerability stems from an incomplete remediation of CVE-2026-27732. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. No official patch or remediation guidance has been published yet.
Potential Impact
An authenticated uploader can exploit this SSRF vulnerability to make the server perform arbitrary HTTP requests and store the responses as media content. This can lead to unauthorized disclosure of internal resources or sensitive data accessible to the server. The confidentiality impact is high, while integrity and availability impacts are low or none. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should restrict upload-by-URL functionality to trusted users only and monitor for suspicious activity. Avoid exposing the vulnerable endpoint to untrusted users until a fix is released. Follow vendor communications closely for updates on remediation.
CVE-2026-39370: CWE-918: Server-Side Request Forgery (SSRF) in WWBN AVideo
Description
CVE-2026-39370 is a Server-Side Request Forgery (SSRF) vulnerability in WWBN AVideo versions 26. 0 and earlier. The vulnerability arises because the application allows attacker-controlled downloadURL parameters with common media or archive file extensions to bypass SSRF validation. An authenticated uploader can exploit this to make the server fetch arbitrary URLs and store the response as media content. This issue is due to an incomplete fix for a previous SSRF vulnerability (CVE-2026-27732). The vulnerability has a high severity score of 7. 1 and impacts confidentiality but not availability or integrity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo, an open source video platform, contains an SSRF vulnerability in versions 26.0 and prior. The endpoint objects/aVideoEncoder.json.php accepts downloadURL parameters with extensions like .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm, which bypass SSRF validation. This allows an authenticated user to cause the server to fetch arbitrary URLs and save the fetched content as media, effectively enabling SSRF response exfiltration. The vulnerability stems from an incomplete remediation of CVE-2026-27732. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. No official patch or remediation guidance has been published yet.
Potential Impact
An authenticated uploader can exploit this SSRF vulnerability to make the server perform arbitrary HTTP requests and store the responses as media content. This can lead to unauthorized disclosure of internal resources or sensitive data accessible to the server. The confidentiality impact is high, while integrity and availability impacts are low or none. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should restrict upload-by-URL functionality to trusted users only and monitor for suspicious activity. Avoid exposing the vulnerable endpoint to untrusted users until a fix is released. Follow vendor communications closely for updates on remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T21:29:17.350Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d55f0aaaed68159a5629c9
Added to database: 4/7/2026, 7:46:18 PM
Last enriched: 4/15/2026, 12:36:53 PM
Last updated: 5/22/2026, 2:17:21 PM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.