Main Vulnerability Database Vulnerabilities #VU125459

#VU125459 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33480

Published: April 8, 2026

Vulnerability identifier: #VU125459

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-33480

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote attacker to disclose sensitive information from internal services, localhost services, and cloud metadata endpoints.

The vulnerability exists due to server-side request forgery in plugin/LiveLinks/proxy.php and isSSRFSafeURL() when handling user-supplied URLs containing IPv4-mapped IPv6 addresses. A remote attacker can send a specially crafted request to disclose sensitive information from internal services, localhost services, and cloud metadata endpoints.

The vulnerable endpoint is unauthenticated, and the fetched response content is echoed back to the requester.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh

#VU125459 Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33480

Description

Remediation

External links

Please verify you're human