High severityNVD Advisory· Published Mar 23, 2026· Updated Mar 23, 2026
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
CVE-2026-33480
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p3gr-g84w-g8hhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33480ghsaADVISORY
- github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.