CVE-2026-33690

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getRealIpAddr() function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.

Affected Software

VendorProductVersion RangeStatus
WWBNAVideo<=26.0affected

Weaknesses

  • CWE-348: CWE-348: Use of Less Trusted Source

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References