CVE-2026-33480
Published: 23 March 2026
Summary
CVE-2026-33480 is a high-severity SSRF (CWE-918) vulnerability in Wwbn Avideo. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of URL inputs to the unauthenticated proxy endpoint, preventing SSRF bypasses via IPv4-mapped IPv6 addresses in isSSRFSafeURL().
Enforces boundary protections to block unauthorized outbound requests from the proxy to internal networks, localhost, and cloud metadata services.
Requires timely remediation of the specific SSRF flaw through patching as detailed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing proxy.php directly enables T1190 exploitation; bypass allows access to cloud metadata (T1522/T1552.005) and internal network services (T1046).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching…
more
them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
Deeper analysisAI
CVE-2026-33480 is a server-side request forgery (SSRF) vulnerability affecting WWBN AVideo, an open source video platform, in versions up to and including 26.0. The issue stems from a bypass in the `isSSRFSafeURL()` function, which can be circumvented using IPv4-mapped IPv6 addresses in the format `::ffff:x.x.x.x`. This function is employed by the unauthenticated `plugin/LiveLinks/proxy.php` endpoint to validate URLs prior to fetching them via curl.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and association with CWE-918 (Server-Side Request Forgery). Successful exploitation allows attackers to access cloud metadata services, internal networks, and localhost services by tricking the proxy endpoint into making unauthorized requests on their behalf.
The GitHub security advisory (GHSA-p3gr-g84w-g8hh) and commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 detail the patch, which addresses the IPv4-mapped IPv6 bypass in the validation logic. Security practitioners should update to a patched version of AVideo beyond 26.0 and review configurations of the LiveLinks plugin to mitigate exposure.
Details
- CWE(s)