CVE-2026-33025
Received Received - Intake
SQL Injection in AVideo Object.php Allows Query Manipulation

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers β€” making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33025
EUVD
EUVD-2026-13559
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo-encoder to 8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows any authenticated user, including non-admin streamers, to perform SQL injection attacks by submitting crafted POST parameters.

  • Attackers can extract sensitive database information such as credentials, configuration data, and all queue data.
  • It enables time-based or boolean-based blind SQL injection attacks.
  • Attackers can cause denial of service by executing heavy or malicious queries.
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33025 is a SQL Injection vulnerability in the AVideo-Encoder project, specifically in the getSqlFromPost() method of Object.php. The vulnerability occurs because the $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause without proper sanitization. Although real_escape_string() was applied, it only escapes characters relevant in string contexts and does not protect SQL identifiers, making it ineffective here."}, {'type': 'paragraph', 'content': 'This allows an authenticated user to inject arbitrary SQL code by crafting malicious sort parameters, potentially manipulating the ORDER BY clause to execute unintended SQL commands.'}, {'type': 'paragraph', 'content': "The issue was fixed by sanitizing column names to allow only alphanumeric characters and underscores, enclosing them in backticks, and restricting sort directions to 'asc' or 'desc'."}] [1, 2]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring POST requests to the affected AVideo-Encoder endpoints, specifically looking for POST parameters named sort[*] that contain characters outside the allowed set of alphanumeric characters and underscores ([A-Za-z0-9_]).'}, {'type': 'paragraph', 'content': 'One approach is to inspect web server logs or use network monitoring tools to filter and identify suspicious POST requests with unusual characters in the sort parameter keys.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like grep on web server access logs to find such requests:'}, {'type': 'list_item', 'content': 'grep -P "POST.*sort\\[[^A-Za-z0-9_]" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'Or using tools like tcpdump or Wireshark to capture HTTP POST traffic and filter for suspicious sort parameters.'}, {'type': 'paragraph', 'content': 'Additionally, applying a Web Application Firewall (WAF) rule to block POST requests where any sort[*] key contains disallowed characters can help detect and prevent exploitation attempts.'}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade AVideo-Encoder to version 8.0 or later, where the vulnerability has been fixed by sanitizing the sort POST parameters and enforcing strict whitelisting.
  • If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to block POST requests where any sort[*] key contains characters outside the allowed set [A-Za-z0-9_].
  • Alternatively, restrict access to the queue-related views (queue.json.php, index.php) to trusted IP ranges only, reducing the risk of exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart