CVE-2026-33690

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33690
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33690.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33690
Aliases
Published
2026-03-23T18:45:25.729Z
Modified
2026-04-10T05:42:54.350686Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
Details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getRealIpAddr() function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

Database specific 
{
    "cwe_ids": [
        "CWE-348"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33690.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type
GIT
Repo
https://github.com/wwbn/avideo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
aee1e11ee8d9343f87b7643e49cc32924b07979b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0"
        }
    ]
}

Affected versions

10.*
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
18.*
18.0
2.*
2.2
2.7
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0
3.*
3.4
4.*
4.0
7.*
7.2
7.3
7.4
7.6
7.7
7.8
8.*
8.1
8.5
8.6
8.7
8.9
8.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33690.json"