CVE-2026-28501
Unauthenticated SQL Injection in WWBN AVideo JSON Components
Publication date: 2026-03-06
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28501 is a critical unauthenticated SQL Injection vulnerability in the WWBN AVideo open source video platform, affecting versions prior to 24.0. The vulnerability exists because the application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. JSON input is parsed and merged into the PHP $_REQUEST superglobal after global security checks have been executed, allowing malicious payloads to bypass existing sanitization mechanisms.
This flaw allows an unauthenticated attacker to execute arbitrary SQL queries on the database, potentially leading to full database exfiltration, including sensitive data such as administrator usernames, password hashes, session identifiers, and user records. Attackers may also escalate privileges by cracking password hashes offline and possibly combine this vulnerability with authenticated vulnerabilities to achieve full system compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the database, such as administrator usernames, password hashes, session identifiers, and user records. An attacker can execute arbitrary SQL commands without authentication, leading to data theft, data manipulation, or deletion.
Additionally, attackers may escalate their privileges by cracking password hashes offline, potentially gaining administrative control over the system. This can result in full system compromise, affecting the confidentiality, integrity, and availability of the affected platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests containing the catName parameter in JSON-formatted bodies sent to the endpoints objects/videos.json.php and objects/video.php. Since the vulnerability involves SQL Injection via the catName parameter, detection can focus on identifying unusual or malicious SQL payloads within these requests.'}, {'type': 'paragraph', 'content': 'A practical approach is to use network monitoring or web application firewall (WAF) logs to look for POST requests with JSON bodies targeting these endpoints that include SQL syntax or injection patterns in the catName field.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts might include using curl or similar tools to test the endpoints, or using grep and log analysis to find suspicious entries.'}, {'type': 'list_item', 'content': 'Use curl to test the endpoint with a crafted payload: curl -X POST -H "Content-Type: application/json" -d \'{"catName":"\' OR \'1\'=\'1"}\' https://your-avideo-domain/objects/videos.json.php'}, {'type': 'list_item', 'content': 'Search web server logs for suspicious POST requests containing \'catName\' with SQL keywords: grep -i "catName" /var/log/apache2/access.log | grep -E "(union|select|or|and|--|\')"'}, {'type': 'list_item', 'content': 'Use intrusion detection systems or WAFs to alert on SQL injection patterns in JSON POST bodies targeting the affected endpoints.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade the WWBN AVideo software to version 24.0 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'No reliable workarounds exist, so upgrading is strongly advised to prevent exploitation.'}, {'type': 'paragraph', 'content': "The patch involves proper sanitization and escaping of user inputs, especially the catName parameter, using MySQLi's real_escape_string function to prevent SQL Injection."}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, consider implementing network-level protections such as blocking or filtering suspicious POST requests to the affected endpoints and monitoring for exploitation attempts.'}] [1, 2, 3]