CVE-2026-33480
Server-Side Request Forgery in WWBN AVideo LiveLinks Proxy
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33480 is a Server-Side Request Forgery (SSRF) vulnerability in the WWBN AVideo platform, affecting versions up to and including 26.0. The vulnerability exists because the function isSSRFSafeURL() used to validate URLs before fetching them can be bypassed using IPv4-mapped IPv6 addresses (addresses of the form ::ffff:x.x.x.x).
This bypass occurs because the validation function does not correctly handle these IPv4-mapped IPv6 addresses, allowing attackers to trick the system into treating malicious URLs as safe. The vulnerable endpoint plugin/LiveLinks/proxy.php is unauthenticated and uses this function to validate URLs before fetching them with curl.
As a result, attackers can exploit this flaw to access internal services such as cloud metadata endpoints, internal network IPs, and localhost services, which should normally be protected.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated attackers to bypass URL validation and access sensitive internal resources.
- Steal cloud instance metadata and credentials (e.g., AWS IAM credentials), potentially leading to full cloud infrastructure compromise.
- Access and scan internal network services that are not exposed externally.
- Interact with localhost-bound services such as databases, Redis, Memcached, or internal APIs.
The vulnerability has a high severity score (CVSS 8.6) due to its network attack vector, low complexity, no required privileges or user interaction, and high confidentiality impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for requests to the vulnerable endpoint and identifying attempts to exploit the IPv4-mapped IPv6 address bypass in the isSSRFSafeURL() function.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the unauthenticated endpoint plugin/LiveLinks/proxy.php for URLs containing IPv4-mapped IPv6 addresses, such as those starting with ::ffff: followed by an IPv4 address.'}, {'type': 'list_item', 'content': 'Check logs for entries indicating normalization or blocking events related to IPv4-mapped IPv6 addresses or private/reserved IPs, as the patched function logs these events.'}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems to flag outbound requests from the server to internal IP ranges or cloud metadata service IPs, especially those using IPv4-mapped IPv6 notation.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious requests: grep -E 'plugin/LiveLinks/proxy.php.*\\[::ffff:' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using tcpdump or similar to capture outgoing HTTP requests from the server to internal or cloud metadata IPs: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 'dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16'"}, {'type': 'list_item', 'content': 'Review application logs for error or debug messages related to isSSRFSafeURL normalization or blocking.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on preventing exploitation of the SSRF vulnerability by addressing the flawed URL validation and restricting access.'}, {'type': 'list_item', 'content': "Apply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 which refactors the isSSRFSafeURL() function to correctly handle IPv4-mapped IPv6 addresses and uses PHP's filter_var() with appropriate flags to block private and reserved IP ranges."}, {'type': 'list_item', 'content': 'If patching is not immediately possible, restrict access to the plugin/LiveLinks/proxy.php endpoint by limiting network access to trusted users or IP addresses.'}, {'type': 'list_item', 'content': 'Implement firewall rules to block outgoing requests from the server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (e.g., 169.254.169.254).'}, {'type': 'list_item', 'content': 'Monitor logs for suspicious activity and consider disabling or restricting the vulnerable proxy functionality until a fix is applied.'}] [1, 2]