GHSA-h39h-7cvg-q7j6

Suggest an improvement
Source
https://github.com/advisories/GHSA-h39h-7cvg-q7j6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-h39h-7cvg-q7j6/GHSA-h39h-7cvg-q7j6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h39h-7cvg-q7j6
Aliases
Published
2026-02-25T18:57:05Z
Modified
2026-02-25T19:11:42.134451Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Details

Vulnerability Type

Authenticated Server-Side Request Forgery (SSRF)

Affected Product/Versions

AVideo versions prior to 22 (tested on AVideo 21.x).

Root Cause Summary

The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints).

Impact Summary

An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment.

Resolution/Fix

This issue has been fixed in AVideo version 22. Users should upgrade to version 22.0 as soon as possible.

Credits/Acknowledgement

Thanks to Arkadiusz Marta for responsibly reporting this issue. - GitHub Profile: https://github.com/arkmarta/

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed_at": "2026-02-25T18:57:05Z",
    "nvd_published_at": "2026-02-24T15:21:39Z"
}
References

Affected packages

Packagist / wwbn/avideo

Package

Name
wwbn/avideo
Purl
pkg:composer/wwbn/avideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
21.0.0

Affected versions

10.*
10.4
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
14.4
18.*
18.0
21.*
21.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-h39h-7cvg-q7j6/GHSA-h39h-7cvg-q7j6.json"