PT-2026-27189 · Avideo · Avideo

Zeroxjacks

Published

2026-03-23

Updated

2026-03-25

CVE-2026-33690

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. Versions up to and including 26.0 are affected by an issue where the getRealIpAddr() function in objects/functions.php relies on user-controlled HTTP headers to determine the client's IP address. An attacker can forge HTTP headers to spoof their IP address, potentially bypassing IP-based access controls and audit logging. The vulnerable function is getRealIpAddr(). The vulnerable file is objects/functions.php.

Recommendations Update AVideo to a version later than 26.0. As a temporary workaround, consider restricting or disabling the use of the getRealIpAddr() function until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-348

Related Identifiers

CVE-2026-33690

GHSA-8P2X-5CPM-QRQW

Affected Products

Avideo

PT-2026-27189 · Avideo · Avideo

CVE-2026-33690

Weakness Enumeration

Related Identifiers

Affected Products

References · 7