<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33480 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33480/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 16 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33480/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo SSRF Vulnerability via IPv4-Mapped IPv6 Bypass (CVE-2026-33480)</title><link>https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/</link><pubDate>Tue, 16 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-16-avideo-ssrf/</guid><description>AVideo versions up to 26.0 are vulnerable to server-side request forgery (SSRF) due to a bypass in the `isSSRFSafeURL()` function, allowing unauthenticated attackers to access internal resources.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is vulnerable to a Server-Side Request Forgery (SSRF) attack. Specifically, versions up to and including 26.0 contain a flaw in the <code>isSSRFSafeURL()</code> function. This function, intended to prevent SSRF attacks, can be bypassed using IPv4-mapped IPv6 addresses (e.g., <code>::ffff:x.x.x.x</code>). The vulnerability is located in the <code>plugin/LiveLinks/proxy.php</code> endpoint, which lacks proper authentication. An attacker can exploit this to make arbitrary HTTP requests to internal resources, cloud metadata endpoints, and localhost services. This issue was addressed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. The CVSS v3.1 score is 8.6, indicating a high level of severity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an AVideo instance running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker crafts a malicious URL using an IPv4-mapped IPv6 address, such as <code>::ffff:127.0.0.1</code>.</li>
<li>The attacker sends an HTTP request to the <code>plugin/LiveLinks/proxy.php</code> endpoint, providing the malicious URL as a parameter.</li>
<li>The <code>isSSRFSafeURL()</code> function fails to properly validate the IPv4-mapped IPv6 address.</li>
<li>The <code>proxy.php</code> script uses curl (or a similar function) to fetch the content from the attacker-controlled URL.</li>
<li>The curl request is sent to the target specified within the IPv6-mapped address (e.g., localhost).</li>
<li>The attacker gains access to sensitive information from internal services, cloud metadata, or localhost.</li>
<li>The attacker may further exploit accessed services or exfiltrate data depending on the internal resources exposed.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability allows unauthenticated attackers to read sensitive information from internal services, cloud metadata endpoints, and localhost services. This can lead to the disclosure of API keys, configuration files, internal network layouts, and potentially allow further exploitation of other internal systems. The lack of authentication on the affected endpoint greatly increases the potential for widespread abuse, particularly in cloud environments where metadata services are readily accessible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 to remediate CVE-2026-33480.</li>
<li>Monitor web server logs for requests to the <code>plugin/LiveLinks/proxy.php</code> endpoint containing IPv4-mapped IPv6 addresses using the provided Sigma rule.</li>
<li>Implement network segmentation and firewall rules to restrict access from the AVideo server to internal resources to mitigate the impact of successful SSRF attacks.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>ssrf</category><category>avideo</category><category>cve-2026-33480</category><category>webserver</category></item></channel></rss>