Executive Summary

CVE-2026-28501 is a critical unauthenticated SQL Injection vulnerability in the WWBN AVideo open source video platform, affecting versions prior to 24.0. The vulnerability exists because the application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. JSON input is parsed and merged into the PHP $_REQUEST superglobal after global security checks have been executed, allowing malicious payloads to bypass existing sanitization mechanisms.

This flaw allows an unauthenticated attacker to execute arbitrary SQL queries on the database, potentially leading to full database exfiltration, including sensitive data such as administrator usernames, password hashes, session identifiers, and user records. Attackers may also escalate privileges by cracking password hashes offline and possibly combine this vulnerability with authenticated vulnerabilities to achieve full system compromise.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the database, such as administrator usernames, password hashes, session identifiers, and user records. An attacker can execute arbitrary SQL commands without authentication, leading to data theft, data manipulation, or deletion.

Additionally, attackers may escalate their privileges by cracking password hashes offline, potentially gaining administrative control over the system. This can result in full system compromise, affecting the confidentiality, integrity, and availability of the affected platform.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests containing the catName parameter in JSON-formatted bodies sent to the endpoints objects/videos.json.php and objects/video.php. Since the vulnerability involves SQL Injection via the catName parameter, detection can focus on identifying unusual or malicious SQL payloads within these requests.'}, {'type': 'paragraph', 'content': 'A practical approach is to use network monitoring or web application firewall (WAF) logs to look for POST requests with JSON bodies targeting these endpoints that include SQL syntax or injection patterns in the catName field.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts might include using curl or similar tools to test the endpoints, or using grep and log analysis to find suspicious entries.'}, {'type': 'list_item', 'content': 'Use curl to test the endpoint with a crafted payload: curl -X POST -H "Content-Type: application/json" -d \'{"catName":"\' OR \'1\'=\'1"}\' https://your-avideo-domain/objects/videos.json.php'}, {'type': 'list_item', 'content': 'Search web server logs for suspicious POST requests containing \'catName\' with SQL keywords: grep -i "catName" /var/log/apache2/access.log | grep -E "(union|select|or|and|--|\')"'}, {'type': 'list_item', 'content': 'Use intrusion detection systems or WAFs to alert on SQL injection patterns in JSON POST bodies targeting the affected endpoints.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade the WWBN AVideo software to version 24.0 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'No reliable workarounds exist, so upgrading is strongly advised to prevent exploitation.'}, {'type': 'paragraph', 'content': "The patch involves proper sanitization and escaping of user inputs, especially the catName parameter, using MySQLi's real_escape_string function to prevent SQL Injection."}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, consider implementing network-level protections such as blocking or filtering suspicious POST requests to the affected endpoints and monitoring for exploitation attempts.'}] [1, 2, 3]

Useful 0 Not Useful 0