CVE-2026-33690

MEDIUM

WWBN AVideo <=26.0 - IP Spoofing

Title source: llm

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

References (2)

[Vendor Advisory] https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw

[Patch] https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 5.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-348

Status published

Products (3)

wwbn/avideo < 26.0

wwbn/avideo 0Packagist

WWBN/AVideo <=26.0

Published Mar 23, 2026

Tracked Since Mar 24, 2026