{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39370", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.350Z", "datePublished": "2026-04-07T19:26:27.478Z", "dateUpdated": "2026-04-08T19:22:58.480Z"}, "containers": {"cna": {"title": "WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:26:27.478Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732."}], "source": {"advisory": "GHSA-cmcr-q4jf-p6q9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:18:34.228729Z", "id": "CVE-2026-39370", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:58.480Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39370", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:18:34.228729Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:18:44.166Z"}}], "cna": {"title": "WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)", "source": {"advisory": "GHSA-cmcr-q4jf-p6q9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:26:27.478Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39370", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:22:58.480Z", "dateReserved": "2026-04-06T21:29:17.350Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:26:27.478Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732."}], "id": "CVE-2026-39370", "lastModified": "2026-04-22T18:50:11.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:31.520", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T22:20:23.375027+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to the latest release that resolves the SSRF defect", "If upgrading is delayed, disable or restrict the upload\u2011by\u2011URL feature to prevent external URL submissions", "Configure the application firewall to block outbound requests to internal or sensitive endpoints", "Regularly review access logs for unexpected media retrieval requests"], "summary": {"action": "Patch Upgrade", "impact": "Server Side Request Forgery with internal data exfiltration"}, "threat_synthesis": {"affected_systems": "The software affected is WWBN\u2019s open\u2011source video platform AVideo. All releases version 26.0 and earlier are vulnerable, especially configurations that permit uploading content via a URL. Deployments running these or older releases are at risk if the upload\u2011by\u2011URL feature is enabled.", "description_and_impact": "Authenticated uploaders can supply URLs with allowed media extensions in the downloadURL parameter, bypassing SSRF validation and causing the server to fetch the content. The fetched response is then stored as media, providing the attacker a reliable path to exfiltrate data from internal or protected resources. This pattern represents a classic SSRF flaw (CWE\u2011918) that can reveal sensitive information through server\u2011initiated requests.", "risk_and_exploitability": "With a CVSS score of 7.1 the severity is medium\u2011high. Exploitation requires the attacker to be an authenticated uploader, so the attack surface is narrowed to users with upload privileges. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalogue, indicating that widespread exploitation has not been observed yet. Nonetheless, the incomplete fix for a prior SSRF issue suggests the vulnerability remains exploitable if left unpatched."}}}}, "created": "2026-04-08T19:34:41.963671+00:00", "updated": "2026-04-08T19:46:17.089282+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}