Cyber Resilience

CVE-2026-27732

High

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27732 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27732 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the WWBN AVideo open source video platform in versions prior to 22.0. The issue resides in the `aVideoEncoder.json.php` API endpoint, which accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list, enabling requests to arbitrary URLs including internal network endpoints.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By supplying a malicious `downloadURL`, they can trigger SSRF to interact with internal services, retrieve sensitive data from sources like internal APIs or metadata services, and potentially achieve further compromise based on the deployment environment. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with no availability impact.

The vulnerability has been fixed in AVideo version 22.0. Mitigation involves upgrading to this version or later. Key references include the patching commit at https://github.com/WWBN/AVideo/commit/384ef2548093f4cbb1bfac00f1f429fe57fab853, the release announcement at https://github.com/WWBN/AVideo/releases/tag/22.0, and the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests…

more

to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing web app endpoint directly enables T1190 exploitation; description explicitly calls out use for querying internal/metadata services to retrieve sensitive data/credentials, mapping to T1522 and T1552.005.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33039Same product: Wwbn Avideo
CVE-2026-33351Same product: Wwbn Avideo
CVE-2026-33480Same product: Wwbn Avideo
CVE-2026-33502Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-39370Same product: Wwbn Avideo
CVE-2026-41060Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 22.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of the `downloadURL` parameter to ensure only expected and safe URLs are processed server-side, preventing SSRF exploitation.

prevent

Requires timely identification, reporting, and correction of the SSRF flaw, such as upgrading to AVideo version 22.0 where the vulnerability is patched.

prevent

Implements boundary protections to monitor and control application server outbound traffic, limiting SSRF access to internal network endpoints and services.

References