CVE-2026-39370

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description AVideo, an open source video platform, has a Server-Side Request Forgery (SSRF) issue in the objects/aVideoEncoder.json.php file. Attackers can control the downloadURL parameter, using common media or archive extensions like .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm, to bypass SSRF validation. The server then retrieves the response and saves it as media content. This allows an authenticated uploader to use the upload-by-URL flow to reliably exfiltrate data via SSRF. This is due to an incomplete fix for a previously identified issue.

Recommendations Update AVideo to a version later than 26.0.