Main Vulnerability Database Vulnerabilities #VU125459

Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33480

Published: April 8, 2026

Vulnerability identifier: #VU125459

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-33480

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information from internal services, localhost services, and cloud metadata endpoints.

The vulnerability exists due to server-side request forgery in plugin/LiveLinks/proxy.php and isSSRFSafeURL() when handling user-supplied URLs containing IPv4-mapped IPv6 addresses. A remote attacker can send a specially crafted request to disclose sensitive information from internal services, localhost services, and cloud metadata endpoints.

The vulnerable endpoint is unauthenticated, and the fetched response content is echoed back to the requester.

How to mitigate CVE-2026-33480

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh

Server-Side Request Forgery (SSRF) in AVideo - CVE-2026-33480

Detailed vulnerability description

How to mitigate CVE-2026-33480

Sources

Please verify you're human