CVE-2026-33025
Received Received - Intake
SQL Injection in AVideo Object.php Allows Query Manipulation

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers β€” making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33025
EUVD
EUVD-2026-13559
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo-encoder to 8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability allows any authenticated user, including non-admin streamers, to perform SQL injection attacks by submitting crafted POST parameters.

  • Attackers can extract sensitive database information such as credentials, configuration data, and all queue data.
  • It enables time-based or boolean-based blind SQL injection attacks.
  • Attackers can cause denial of service by executing heavy or malicious queries.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-33025 is a SQL Injection vulnerability in the AVideo-Encoder project, specifically in the getSqlFromPost() method of Object.php. The vulnerability occurs because the $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause without proper sanitization. Although real_escape_string() was applied, it only escapes characters relevant in string contexts and does not protect SQL identifiers, making it ineffective here."}, {'type': 'paragraph', 'content': 'This allows an authenticated user to inject arbitrary SQL code by crafting malicious sort parameters, potentially manipulating the ORDER BY clause to execute unintended SQL commands.'}, {'type': 'paragraph', 'content': "The issue was fixed by sanitizing column names to allow only alphanumeric characters and underscores, enclosing them in backticks, and restricting sort directions to 'asc' or 'desc'."}] [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring POST requests to the affected AVideo-Encoder endpoints, specifically looking for POST parameters named sort[*] that contain characters outside the allowed set of alphanumeric characters and underscores ([A-Za-z0-9_]).'}, {'type': 'paragraph', 'content': 'One approach is to inspect web server logs or use network monitoring tools to filter and identify suspicious POST requests with unusual characters in the sort parameter keys.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like grep on web server access logs to find such requests:'}, {'type': 'list_item', 'content': 'grep -P "POST.*sort\\[[^A-Za-z0-9_]" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'Or using tools like tcpdump or Wireshark to capture HTTP POST traffic and filter for suspicious sort parameters.'}, {'type': 'paragraph', 'content': 'Additionally, applying a Web Application Firewall (WAF) rule to block POST requests where any sort[*] key contains disallowed characters can help detect and prevent exploitation attempts.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Upgrade AVideo-Encoder to version 8.0 or later, where the vulnerability has been fixed by sanitizing the sort POST parameters and enforcing strict whitelisting.
  • If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to block POST requests where any sort[*] key contains characters outside the allowed set [A-Za-z0-9_].
  • Alternatively, restrict access to the queue-related views (queue.json.php, index.php) to trusted IP ranges only, reducing the risk of exploitation.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart