Cyber Resilience

CVE-2026-33480

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0032 23.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33480 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33480 is a server-side request forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform, in versions up to and including 26.0. The issue stems from a bypass in the `isSSRFSafeURL()` function, which can be circumvented using IPv4-mapped IPv6 addresses in the format `::ffff:x.x.x.x`. This function is employed by the unauthenticated `plugin/LiveLinks/proxy.php` endpoint to validate URLs prior to fetching them via curl.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and association with CWE-918 (Server-Side Request Forgery). Successful exploitation allows attackers to access cloud metadata services, internal networks, and localhost services by tricking the proxy endpoint into making unauthorized requests on their behalf.

The GitHub security advisory (GHSA-p3gr-g84w-g8hh) and commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 detail the patch, which addresses the IPv4-mapped IPv6 bypass in the validation logic. Security practitioners should update to a patched version of AVideo beyond 26.0 and review configurations of the LiveLinks plugin to mitigate exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching…

more

them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing proxy.php directly enables T1190 exploitation; bypass allows access to cloud metadata (T1522/T1552.005) and internal network services (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33502Same product: Wwbn Avideo
CVE-2026-33039Same product: Wwbn Avideo
CVE-2026-33351Same product: Wwbn Avideo
CVE-2026-27732Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-39370Same product: Wwbn Avideo
CVE-2026-41060Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of URL inputs to the unauthenticated proxy endpoint, preventing SSRF bypasses via IPv4-mapped IPv6 addresses in isSSRFSafeURL().

prevent

Enforces boundary protections to block unauthorized outbound requests from the proxy to internal networks, localhost, and cloud metadata services.

prevent

Requires timely remediation of the specific SSRF flaw through patching as detailed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373.

References