CVE-2026-33690
published 2026-03-23CVE-2026-33690: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.18%
7.3th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | — | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
ghsa·2026-03-25
CVE-2026-33690 [MEDIUM] CWE-348 AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
## Summary
The `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address.
An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging.
## Vulnerable Code
File: `objects/functions.php`
```php
$headers = [
'HTTP_X_REAL_IP',
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'REMOTE_ADDR'
];
foreach ($headers as $header) {
if (!empty($_SERVER[$header])) {
$ips = explode(',', $_SERVER[$header]);
foreach ($ips as $ipCandidate) {
$ipCandidate = trim($ipCandidate);
if (filter_var($ipCandidate, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4)) {
return $ipCandidate;
}
}
}
}
```
## Attack Scenario
OSV
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
osv·2026-03-25
CVE-2026-33690 [MEDIUM] AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
## Summary
The `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address.
An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging.
## Vulnerable Code
File: `objects/functions.php`
```php
$headers = [
'HTTP_X_REAL_IP',
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'REMOTE_ADDR'
];
foreach ($headers as $header) {
if (!empty($_SERVER[$header])) {
$ips = explode(',', $_SERVER[$header]);
foreach ($ips as $ipCandidate) {
$ipCandidate = trim($ipCandidate);
if (filter_var($ipCandidate, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4)) {
return $ipCandidate;
}
}
}
}
```
## Attack Scenario
No detection rules found.
No public exploits indexed.
2026-03-23
Published