SB20260408172 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-27732)

The vulnerability allows a remote user to perform server-side requests to arbitrary URLs and disclose sensitive information.

The vulnerability exists due to server-side request forgery in aVideoEncoder.json.php when processing the downloadURL parameter. A remote user can supply a crafted URL to perform server-side requests to arbitrary URLs and disclose sensitive information.

The issue can be used to reach internal network endpoints, including internal APIs and metadata services.

2) SQL injection (CVE-ID: CVE-2026-28501)

The vulnerability allows a remote attacker to execute arbitrary SQL queries and disclose sensitive information.

The vulnerability exists due to sql injection in objects/videos.json.php and objects/video.php when processing the catName parameter from a JSON-formatted POST request body. A remote attacker can send a specially crafted JSON request to execute arbitrary SQL queries and disclose sensitive information.

JSON input is parsed and merged into $_REQUEST after global security checks are executed, allowing the payload to bypass the existing sanitization mechanisms.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6
• https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p