CVE-2026-33480
HIGHAVideo <=26.0 LiveLinks Proxy - Server-Side Request Forgery Bypass
Title source: manualDescription
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh
X_Refsource_Misc x_refsource_misc
https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373
Scores
CVSS v3
8.6
EPSS
0.0032
EPSS Percentile
23.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (3)
wwbn/avideo
< 26.0
wwbn/avideo
0Packagist
WWBN/AVideo
<= 26.0
Published
Mar 23, 2026
Tracked Since
Mar 23, 2026