{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33690", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.932Z", "datePublished": "2026-03-23T18:45:25.729Z", "dateUpdated": "2026-03-24T18:36:16.313Z"}, "containers": {"cna": {"title": "AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()", "problemTypes": [{"descriptions": [{"cweId": "CWE-348", "lang": "en", "description": "CWE-348: Use of Less Trusted Source", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw"}, {"name": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<=26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:45:25.729Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch."}], "source": {"advisory": "GHSA-8p2x-5cpm-qrqw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:36:08.419887Z", "id": "CVE-2026-33690", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:36:16.313Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33690", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:36:08.419887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:36:13.047Z"}}], "cna": {"title": "AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()", "source": {"advisory": "GHSA-8p2x-5cpm-qrqw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<=26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c", "name": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-348", "description": "CWE-348: Use of Less Trusted Source"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:45:25.729Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33690", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:36:16.313Z", "dateReserved": "2026-03-23T16:34:59.932Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:45:25.729Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, la funci\u00f3n 'getRealIpAddr()' en 'objects/functions.php' conf\u00eda en los encabezados HTTP controlados por el usuario para determinar la direcci\u00f3n IP del cliente. Un atacante puede falsificar su direcci\u00f3n IP enviando encabezados falsificados, eludiendo cualquier control de acceso basado en IP o registro de auditor\u00eda. El commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contiene un parche."}], "id": "CVE-2026-33690", "lastModified": "2026-03-25T15:06:07.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:42.173", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-348"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T16:40:21.614483+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version newer than 26.0 or apply the patch found in commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c", "If an upgrade is not immediately possible, modify the configuration to disable the use of untrusted headers when determining client IP or remove calls to getRealIpAddr()", "Verify that audit logging and IP\u2011based controls are in place and test that spoofed IP addresses no longer bypass them"], "summary": {"action": "Apply Patch", "impact": "IP address spoofing through untrusted HTTP headers"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WWBN AVideo platform in all releases up to and including version 26.0. No other product versions or vendors are listed as impacted, but those using the affected code path would be susceptible until patching or upgrading past the corrected implementation.", "description_and_impact": "A function used to determine the client\u2019s IP address in WWBN AVideo did not validate HTTP headers and therefore allowed an attacker to forge an IP address. This flaw can be exploited to bypass IP\u2011based access controls and conceal attacker identity from audit logs. The weakness corresponds to CWE\u2011348, which describes the submission of arbitrary data to an application that refuses or ignores it during validation.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity flaw. The EPSS index is below 1\u202f%, and the vulnerability is not present in CISA\u2019s KEV catalog, suggesting low current exploitation activity. The attack vector is inferred to be remote, via forged HTTP headers that the application accepts without validation. An attacker merely needs to send a request with manipulated header fields such as X\u2011Forwarded\u2011For or Remote\u2011Addr to achieve the spoofing effect."}}}}, "created": "2026-03-24T10:33:13.271229+00:00", "updated": "2026-03-25T20:37:04.663996+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}