{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33480", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.970Z", "datePublished": "2026-03-23T14:08:49.302Z", "dateUpdated": "2026-03-23T15:57:19.767Z"}, "containers": {"cna": {"title": "AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh"}, {"name": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:08:49.302Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch."}], "source": {"advisory": "GHSA-p3gr-g84w-g8hh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:57:09.427654Z", "id": "CVE-2026-33480", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:57:19.767Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n 'isSSRFSafeURL()' en AVideo puede ser eludida utilizando direcciones IPv6 mapeadas a IPv4 ('::ffff:x.x.x.x'). El punto final no autenticado 'plugin/LiveLinks/proxy.php' utiliza esta funci\u00f3n para validar URL antes de recuperarlas con curl, pero el prefijo IPv6 mapeado a IPv4 pasa todas las comprobaciones, permitiendo a un atacante acceder a servicios de metadatos en la nube, redes internas y servicios de localhost. El commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contiene un parche."}], "id": "CVE-2026-33480", "lastModified": "2026-03-24T18:46:11.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T15:16:34.400", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T21:08:59.163043+00:00", "value": {"mitigation_remediation": ["Apply the official patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 or upgrade AVideo to version 26.1 or newer.", "Restrict unauthenticated access to the /plugin/LiveLinks/proxy.php endpoint via web server configuration or an application firewall.", "Block outbound traffic from the proxy service to internal IP ranges and cloud metadata endpoints using network firewall rules.", "Monitor web and application logs for unexpected internal IP access attempts and investigate suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Server Request Forgery enabling access to internal resources"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open source video platform AVideo by WWBN, specifically versions up to and including 26.0. Versions 26.1 and later contain a patch that resolves the SSRF bypass. All installations of the affected releases that expose the unauthenticated /plugin/LiveLinks/proxy.php endpoint are susceptible.", "description_and_impact": "AVideo\u2019s LiveLinks proxy validates URLs with the isSSRFSafeURL() function, which was vulnerable to IPv4\u2011mapped IPv6 addresses such as ::ffff:10.0.0.5. These addresses circumvent the safety check, allowing an attacker to cause the server to fetch any remote resource via curl. The result is an SSRF that can reach cloud metadata services, internal network hosts, and localhost endpoints, potentially exposing sensitive configuration data and providing a foothold for further attacks. The flaw is classified as CWE\u2011918, reflecting insufficient input validation on the server side and a high CVSS score of 8.6.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw by sending an unauthenticated HTTP request to the LiveLinks/proxy.php endpoint with an IPv4\u2011mapped IPv6 URL, enabling internal network reconnaissance and potential lateral movement."}}}}, "created": "2026-03-24T10:33:47.571275+00:00", "updated": "2026-03-25T21:28:03.349360+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}