CVE-2026-27732
Published: 24 February 2026
Summary
CVE-2026-27732 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of the `downloadURL` parameter to ensure only expected and safe URLs are processed server-side, preventing SSRF exploitation.
Requires timely identification, reporting, and correction of the SSRF flaw, such as upgrading to AVideo version 22.0 where the vulnerability is patched.
Implements boundary protections to monitor and control application server outbound traffic, limiting SSRF access to internal network endpoints and services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app endpoint directly enables T1190 exploitation; description explicitly calls out use for querying internal/metadata services to retrieve sensitive data/credentials, mapping to T1522 and T1552.005.
NVD Description
WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests…
more
to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.
Deeper analysisAI
CVE-2026-27732 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the WWBN AVideo open source video platform in versions prior to 22.0. The issue resides in the `aVideoEncoder.json.php` API endpoint, which accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list, enabling requests to arbitrary URLs including internal network endpoints.
Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By supplying a malicious `downloadURL`, they can trigger SSRF to interact with internal services, retrieve sensitive data from sources like internal APIs or metadata services, and potentially achieve further compromise based on the deployment environment. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with no availability impact.
The vulnerability has been fixed in AVideo version 22.0. Mitigation involves upgrading to this version or later. Key references include the patching commit at https://github.com/WWBN/AVideo/commit/384ef2548093f4cbb1bfac00f1f429fe57fab853, the release announcement at https://github.com/WWBN/AVideo/releases/tag/22.0, and the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6.
Details
- CWE(s)