CVE-2026-33690

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-23 19:16

Updated : 2026-03-25 15:06

NVD link : CVE-2026-33690

Mitre link : CVE-2026-33690

CVE.ORG link : CVE-2026-33690

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-348

Use of Less Trusted Source

{"id": "CVE-2026-33690", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-23T19:16:42.173", "references": [{"url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-348"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n 'getRealIpAddr()' en 'objects/functions.php' conf\u00eda en los encabezados HTTP controlados por el usuario para determinar la direcci\u00f3n IP del cliente. Un atacante puede falsificar su direcci\u00f3n IP enviando encabezados falsificados, eludiendo cualquier control de acceso basado en IP o registro de auditor\u00eda. El commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contiene un parche."}], "lastModified": "2026-03-25T15:06:07.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}