CVE-2026-33480: AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

March 20, 2026

The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh
github.com/advisories/GHSA-p3gr-g84w-g8hh
nvd.nist.gov/vuln/detail/CVE-2026-33480

Code Behaviors & Features

Detect and mitigate CVE-2026-33480 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →