CVE-2026-33690 - Vulnerability Details

- AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

Published: 2026-03-23

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A function used to determine the client’s IP address in WWBN AVideo did not validate HTTP headers and therefore allowed an attacker to forge an IP address. This flaw can be exploited to bypass IP‑based access controls and conceal attacker identity from audit logs. The weakness corresponds to CWE‑348, which describes the submission of arbitrary data to an application that refuses or ignores it during validation.

Affected Systems

The vulnerability affects the WWBN AVideo platform in all releases up to and including version 26.0. No other product versions or vendors are listed as impacted, but those using the affected code path would be susceptible until patching or upgrading past the corrected implementation.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity flaw. The EPSS index is below 1 %, and the vulnerability is not present in CISA’s KEV catalog, suggesting low current exploitation activity. The attack vector is inferred to be remote, via forged HTTP headers that the application accepts without validation. An attacker merely needs to send a request with manipulated header fields such as X‑Forwarded‑For or Remote‑Addr to achieve the spoofing effect.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<=26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AVideo to a version newer than 26.0 or apply the patch found in commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c
If an upgrade is not immediately possible, modify the configuration to disable the use of untrusted headers when determining client IP or remove calls to getRealIpAddr()
Verify that audit logging and IP‑based controls are in place and test that spoofed IP addresses no longer bypass them

Generated by OpenCVE AI on March 25, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8p2x-5cpm-qrqw	AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c
https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw

History

Wed, 25 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Tue, 24 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.
Title		AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
Weaknesses		CWE-348
References		https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-23T18:45:25.729Z

Updated: 2026-03-24T18:36:16.313Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33690

Vulnrichment

Updated: 2026-03-24T18:36:13.047Z

NVD

Status : Analyzed

Published: 2026-03-23T19:16:42.173

Modified: 2026-03-25T15:06:07.927

Link: CVE-2026-33690

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:37:04Z

Weaknesses

CWE-348

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object