Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
Published: 2026-03-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Request Forgery enabling access to internal resources
Action: Immediate Patch
AI Analysis

Impact

AVideo’s LiveLinks proxy validates URLs with the isSSRFSafeURL() function, which was vulnerable to IPv4‑mapped IPv6 addresses such as ::ffff:10.0.0.5. These addresses circumvent the safety check, allowing an attacker to cause the server to fetch any remote resource via curl. The result is an SSRF that can reach cloud metadata services, internal network hosts, and localhost endpoints, potentially exposing sensitive configuration data and providing a foothold for further attacks. The flaw is classified as CWE‑918, reflecting insufficient input validation on the server side and a high CVSS score of 8.6.

Affected Systems

The vulnerability affects the open source video platform AVideo by WWBN, specifically versions up to and including 26.0. Versions 26.1 and later contain a patch that resolves the SSRF bypass. All installations of the affected releases that expose the unauthenticated /plugin/LiveLinks/proxy.php endpoint are susceptible.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending an unauthenticated HTTP request to the LiveLinks/proxy.php endpoint with an IPv4‑mapped IPv6 URL, enabling internal network reconnaissance and potential lateral movement.

Generated by OpenCVE AI on March 24, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 or upgrade AVideo to version 26.1 or newer.
  • Restrict unauthenticated access to the /plugin/LiveLinks/proxy.php endpoint via web server configuration or an application firewall.
  • Block outbound traffic from the proxy service to internal IP ranges and cloud metadata endpoints using network firewall rules.
  • Monitor web and application logs for unexpected internal IP access attempts and investigate suspicious activity.

Generated by OpenCVE AI on March 24, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p3gr-g84w-g8hh AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
History

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.
Title AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T15:57:19.767Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33480

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T15:16:34.400

Modified: 2026-03-24T18:46:11.393

Link: CVE-2026-33480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:03Z

Weaknesses