CVE-2026-33690

Exploit

EPSS 0.18%
Veröffentlicht 23.03.2026 18:45:25
Zuletzt bearbeitet 25.03.2026 15:06:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wwbn ≫ Avideo Version <= 26.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.071

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-348 Use of Less Trusted Source

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw

Vendor Advisory

Exploit

https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33690

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33690

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33690

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33690