CVE-2026-33480 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: March 23, 2026
WWBN AVideo - Server Side Request Forgery
Overview
WWBN AVideo <= 26.0 contains a server-side request forgery caused by bypassing isSSRFSafeURL() validation using IPv4-mapped IPv6 addresses in plugin/LiveLinks/proxy.php, letting unauthenticated attackers access internal services, exploit requires crafted URL with IPv4-mapped IPv6 address.
Severity & Score
Impact
Unauthenticated attackers can access internal network services and cloud metadata, potentially leading to sensitive data exposure or further network compromise.
Mitigation
Update to the version including commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 or later.
References
Social Media Activity(2 posts)
š CVE-2026-33480 - High (8.6) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endp... š https://www.thehackerwire.com/vulnerability/CVE-2026-33480/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-33480 - High (8.6) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endp... š https://www.thehackerwire.com/vulnerability/CVE-2026-33480/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33480
- Severity
- High
- CVSS Score
- 8.6
- Type
- server_side_request_forgery
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N