EUVD-2026-14500
GHSA-8p2x-5cpm-qrqw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c contains a patch.
Analysis
WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today