Platform
php
Component
wwbn/avideo
Opgelost in
26.0.1
26.0.1
CVE-2026-33480 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in AVideo. This flaw allows unauthenticated attackers to bypass URL validation checks and potentially access sensitive internal resources. The vulnerability impacts AVideo versions 26.0 and earlier, and a fix is available in a subsequent release.
The SSRF vulnerability in AVideo's plugin/LiveLinks/proxy.php endpoint stems from a flawed isSSRFSafeURL() function. This function fails to properly validate URLs when IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) are used. An attacker can exploit this by crafting a request with a malicious IPv4-mapped IPv6 URL, bypassing the intended security checks. This allows them to make requests to internal services, cloud metadata endpoints (potentially exposing API keys and credentials), and even localhost resources. The potential blast radius is significant, as an attacker could gain unauthorized access to sensitive data and potentially compromise the entire system.
CVE-2026-33480 was publicly disclosed on 2026-03-20. The vulnerability's exploitation context is currently unclear, and no public proof-of-concept (PoC) has been identified. It is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, combined with the potential impact, warrants careful monitoring and prompt patching.
Organizations utilizing AVideo in environments with sensitive internal resources or cloud integrations are at risk. Shared hosting environments where AVideo is deployed alongside other applications are particularly vulnerable, as a successful exploitation could potentially impact other tenants.
• php: Examine access logs for requests to plugin/LiveLinks/proxy.php containing IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1).
• generic web: Use curl to test the endpoint with an IPv4-mapped IPv6 address and verify that the request is blocked.
curl -v 'http://your-avideo-server/plugin/LiveLinks/proxy.php?url=http://::ffff:127.0.0.1'disclosure
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-33480 is to upgrade AVideo to a version containing the fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing IPv4-mapped IPv6 addresses. Additionally, restrict network access to the plugin/LiveLinks/proxy.php endpoint to only trusted sources. Monitor access logs for suspicious requests using IPv4-mapped IPv6 addresses. After upgrading, confirm the fix by attempting to access a known internal resource via the plugin/LiveLinks/proxy.php endpoint with an IPv4-mapped IPv6 address; the request should be blocked.
Werk AVideo bij naar een versie later dan 26.0. De kwetsbaarheid wordt verholpen in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. Dit voorkomt de mogelijkheid van een SSRF bypass via IPv4-mapped IPv6 addresses.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33480 is a HIGH severity SSRF vulnerability affecting AVideo versions up to 26.0. It allows attackers to bypass URL validation and access internal resources.
You are affected if you are running AVideo version 26.0 or earlier. Check your version and upgrade as soon as possible.
Upgrade AVideo to a patched version. As a temporary workaround, implement a WAF rule to block IPv4-mapped IPv6 addresses.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants vigilance.
Refer to the AVideo project's official website or security advisories for the latest information and patch releases.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.