CVE-2026-33480
Received Received - Intake
Server-Side Request Forgery in WWBN AVideo LiveLinks Proxy

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33480 is a Server-Side Request Forgery (SSRF) vulnerability in the WWBN AVideo platform, affecting versions up to and including 26.0. The vulnerability exists because the function isSSRFSafeURL() used to validate URLs before fetching them can be bypassed using IPv4-mapped IPv6 addresses (addresses of the form ::ffff:x.x.x.x).

This bypass occurs because the validation function does not correctly handle these IPv4-mapped IPv6 addresses, allowing attackers to trick the system into treating malicious URLs as safe. The vulnerable endpoint plugin/LiveLinks/proxy.php is unauthenticated and uses this function to validate URLs before fetching them with curl.

As a result, attackers can exploit this flaw to access internal services such as cloud metadata endpoints, internal network IPs, and localhost services, which should normally be protected.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to bypass URL validation and access sensitive internal resources.

  • Steal cloud instance metadata and credentials (e.g., AWS IAM credentials), potentially leading to full cloud infrastructure compromise.
  • Access and scan internal network services that are not exposed externally.
  • Interact with localhost-bound services such as databases, Redis, Memcached, or internal APIs.

The vulnerability has a high severity score (CVSS 8.6) due to its network attack vector, low complexity, no required privileges or user interaction, and high confidentiality impact.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for requests to the vulnerable endpoint and identifying attempts to exploit the IPv4-mapped IPv6 address bypass in the isSSRFSafeURL() function.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the unauthenticated endpoint plugin/LiveLinks/proxy.php for URLs containing IPv4-mapped IPv6 addresses, such as those starting with ::ffff: followed by an IPv4 address.'}, {'type': 'list_item', 'content': 'Check logs for entries indicating normalization or blocking events related to IPv4-mapped IPv6 addresses or private/reserved IPs, as the patched function logs these events.'}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems to flag outbound requests from the server to internal IP ranges or cloud metadata service IPs, especially those using IPv4-mapped IPv6 notation.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious requests: grep -E 'plugin/LiveLinks/proxy.php.*\\[::ffff:' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using tcpdump or similar to capture outgoing HTTP requests from the server to internal or cloud metadata IPs: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 'dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16'"}, {'type': 'list_item', 'content': 'Review application logs for error or debug messages related to isSSRFSafeURL normalization or blocking.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on preventing exploitation of the SSRF vulnerability by addressing the flawed URL validation and restricting access.'}, {'type': 'list_item', 'content': "Apply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 which refactors the isSSRFSafeURL() function to correctly handle IPv4-mapped IPv6 addresses and uses PHP's filter_var() with appropriate flags to block private and reserved IP ranges."}, {'type': 'list_item', 'content': 'If patching is not immediately possible, restrict access to the plugin/LiveLinks/proxy.php endpoint by limiting network access to trusted users or IP addresses.'}, {'type': 'list_item', 'content': 'Implement firewall rules to block outgoing requests from the server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (e.g., 169.254.169.254).'}, {'type': 'list_item', 'content': 'Monitor logs for suspicious activity and consider disabling or restricting the vulnerable proxy functionality until a fix is applied.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart