CVE-2026-39370
Published: 07 April 2026
Summary
CVE-2026-39370 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SSRF by requiring validation of attacker-controlled downloadURL inputs to block bypasses using common media extensions like .mp4 or .zip.
Remediates the SSRF flaw in objects/aVideoEncoder.json.php stemming from an incomplete fix for CVE-2026-27732 through timely patching and vulnerability correction.
Blocks unauthorized outbound server requests to internal or sensitive resources initiated via the upload-by-URL feature exploited in this SSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing AVideo app directly enables T1190 exploitation; used as primitive for internal response exfiltration via web service interaction enables T1567.
NVD Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The…
more
server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
Deeper analysisAI
CVE-2026-39370 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting WWBN AVideo, an open-source video platform. The issue impacts versions 26.0 and prior, specifically in the objects/aVideoEncoder.json.php component. It enables attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. As a result, the server fetches the response from the supplied URL and stores it as media content. This vulnerability arises from an incomplete fix for the earlier CVE-2026-27732.
An authenticated uploader can exploit this flaw remotely with low attack complexity and no user interaction. By supplying a malicious downloadURL in the upload-by-URL flow, the attacker transforms it into a reliable SSRF primitive for response exfiltration. The CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) reflects high confidentiality impact from leaked internal responses, low integrity impact, and no availability disruption.
Mitigation details are available in the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9. Security practitioners should consult this advisory for patch information and recommended remediation steps.
Details
- CWE(s)