漏洞关键信息 Vulnerability ID: GHSA-h39h-7cvg-q7j6 CVE ID: CVE-2026-27732 Vulnerability Type: Authenticated Server-Side Request Forgery (SSRF) — CWE-918 Affected Versions: <22 Patched Version: 22 Severity: High Description Root Cause Summary: The API endpoint accepts a parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoints). Impact Summary: An authenticated attacker can leverage SSRF to interact with internal services and retrieve sensitive data (e.g., internal APIs, metadata services), potentially leading to further compromise depending on the deployment environment. Resolution/Fix This issue has been fixed in AVideo version 22. Users should upgrade to version 22 as soon as possible. Credits/Acknowledgement Thanks to Arkadiusz Marta for responsibly reporting this issue.