WWBN AVideo is an open-source video platform that includes a function, isSSRFSafeURL(), intended to validate URLs before the server fetches them via curl. In versions up to and including 26.0, this validation function can be bypassed using IPv4-mapped IPv6 addresses, which take the form ::ffff:x.x.x.x. The validation logic does not correctly handle this IPv6 prefix, allowing malicious actors to craft URLs that appear safe but actually point to internal or localhost IP addresses. The vulnerable endpoint plugin/LiveLinks/proxy.php is accessible without authentication and uses this flawed validation to fetch URLs on behalf of the requester. Exploiting this SSRF vulnerability enables attackers to access internal network services, localhost endpoints, and cloud provider metadata services (such as AWS, Azure, or GCP metadata APIs), potentially exposing sensitive credentials and configuration data. The vulnerability has a CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating that it is remotely exploitable without privileges or user interaction, with a high impact on confidentiality and a scope that can affect multiple systems if the server is part of a larger network. Although no known exploits in the wild have been reported yet, the presence of a committed patch (commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373) suggests that the vendor has addressed the issue. Organizations running vulnerable versions should apply the patch or upgrade promptly to prevent exploitation.

The primary impact of this SSRF vulnerability is unauthorized disclosure of sensitive internal information. Attackers can leverage the vulnerability to access internal network resources that are not otherwise exposed externally, including localhost services and cloud metadata endpoints. Access to cloud metadata services can lead to theft of cloud credentials, enabling further compromise of cloud infrastructure. Internal network reconnaissance can facilitate lateral movement within an organization's network, increasing the risk of broader compromise. Because the vulnerability does not require authentication or user interaction, it can be exploited by remote attackers at scale, potentially affecting many organizations using WWBN AVideo. The confidentiality impact is high, while integrity and availability impacts are low or none. The vulnerability could be particularly damaging in environments where AVideo servers have privileged network access or are deployed in sensitive cloud environments.

1. Immediately upgrade WWBN AVideo to a version that includes the patch for CVE-2026-33480 or apply the vendor's patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. 2. If patching is not immediately possible, restrict access to the plugin/LiveLinks/proxy.php endpoint via network controls or web application firewall (WAF) rules to trusted users or IP addresses only. 3. Implement network segmentation to limit the AVideo server's access to sensitive internal resources and cloud metadata endpoints. 4. Monitor logs for unusual requests to the proxy.php endpoint, especially those containing IPv4-mapped IPv6 addresses or requests targeting internal IP ranges. 5. Consider disabling or restricting the use of the LiveLinks proxy feature if it is not required. 6. Employ runtime application self-protection (RASP) or enhanced input validation to detect and block SSRF attempts. 7. Review cloud environment metadata service access policies and consider using metadata service version 2 (IMDSv2) or equivalent protections to reduce risk from SSRF attacks. 8. Conduct internal penetration testing to verify that the vulnerability is remediated and that no other SSRF vectors exist.