プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0.1
CVE-2026-33480 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo. This flaw allows unauthenticated attackers to bypass URL validation checks and potentially access sensitive internal resources. The vulnerability impacts AVideo versions 26.0 and earlier, and a fix is available in a subsequent release.
The SSRF vulnerability in AVideo's plugin/LiveLinks/proxy.php endpoint stems from a flawed isSSRFSafeURL() function. This function fails to properly validate URLs when IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) are used. An attacker can exploit this by crafting a request with a malicious IPv4-mapped IPv6 URL, bypassing the intended security checks. This allows them to make requests to internal services, cloud metadata endpoints (potentially exposing API keys and credentials), and even localhost resources. The potential blast radius is significant, as an attacker could gain unauthorized access to sensitive data and potentially compromise the entire system.
CVE-2026-33480 was publicly disclosed on 2026-03-20. The vulnerability's exploitation context is currently unclear, and no public proof-of-concept (PoC) has been identified. It is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, combined with the potential impact, warrants careful monitoring and prompt patching.
Organizations utilizing AVideo in environments with sensitive internal resources or cloud integrations are at risk. Shared hosting environments where AVideo is deployed alongside other applications are particularly vulnerable, as a successful exploitation could potentially impact other tenants.
• php: Examine access logs for requests to plugin/LiveLinks/proxy.php containing IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1).
• generic web: Use curl to test the endpoint with an IPv4-mapped IPv6 address and verify that the request is blocked.
curl -v 'http://your-avideo-server/plugin/LiveLinks/proxy.php?url=http://::ffff:127.0.0.1'disclosure
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33480 is to upgrade AVideo to a version containing the fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing IPv4-mapped IPv6 addresses. Additionally, restrict network access to the plugin/LiveLinks/proxy.php endpoint to only trusted sources. Monitor access logs for suspicious requests using IPv4-mapped IPv6 addresses. After upgrading, confirm the fix by attempting to access a known internal resource via the plugin/LiveLinks/proxy.php endpoint with an IPv4-mapped IPv6 address; the request should be blocked.
AVideoを26.0より後のバージョンにアップデートしてください。この脆弱性は、コミット75ce8a579a58c9d4c7aafe453fbced002cb8f373で修正されています。これにより、IPv4-mapped IPv6アドレスを介したSSRF保護のバイパスの可能性を回避できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33480 is a HIGH severity SSRF vulnerability affecting AVideo versions up to 26.0. It allows attackers to bypass URL validation and access internal resources.
You are affected if you are running AVideo version 26.0 or earlier. Check your version and upgrade as soon as possible.
Upgrade AVideo to a patched version. As a temporary workaround, implement a WAF rule to block IPv4-mapped IPv6 addresses.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants vigilance.
Refer to the AVideo project's official website or security advisories for the latest information and patch releases.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。