CVE-2026-27732 — HIGH (8.1)

Q: How severe is CVE-2026-27732?

CVE-2026-27732 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-27732?

Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.

Vulnerability Description

WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. This issue has been fixed in AVideo version 22.0.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Wwbn	Avideo	< 22.0

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2026-27732?

CVE-2026-27732 is a vulnerability with a CVSS score of 8.1 (HIGH). WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without...

How severe is CVE-2026-27732?

CVE-2026-27732 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27732?

Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.