CVE-2026-33690

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. Versions up to and including 26.0 are affected by an issue where the getRealIpAddr() function in objects/functions.php relies on user-controlled HTTP headers to determine the client's IP address. An attacker can forge HTTP headers to spoof their IP address, potentially bypassing IP-based access controls and audit logging. The vulnerable function is getRealIpAddr(). The vulnerable file is objects/functions.php.

Recommendations Update AVideo to a version later than 26.0. As a temporary workaround, consider restricting or disabling the use of the getRealIpAddr() function until a patch is available.