CVE-2026-27732

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 22.0

Description AVideo is an open source video platform. The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs, including internal network endpoints, leading to Server-Side Request Forgery (SSRF). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data, potentially leading to further compromise. The vulnerable parameter is downloadURL.

Recommendations Update AVideo to version 22.0 or later.