CVE-2026-33352
Undergoing Analysis Undergoing Analysis - In Progress
Unauthenticated SQL Injection in WWBN AVideo Category Component

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33352
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33352 is a critical unauthenticated SQL injection vulnerability in the WWBN AVideo platform versions prior to 26.0. It exists in the getAllCategories() method in objects/category.php, specifically involving the doNotShowCats request parameter.

The vulnerability arises because the doNotShowCats parameter is only sanitized by removing single-quote characters, but this is insufficient since backslash characters are not removed or escaped. MySQL treats backslashes as escape characters, allowing attackers to bypass the single-quote stripping and manipulate SQL query boundaries.

This improper sanitization combined with direct concatenation of the parameter into SQL queries without parameterization allows attackers to inject arbitrary SQL code. For example, an attacker can craft input that causes the SQL query to always evaluate to true or extract sensitive data.

Impact Analysis

This vulnerability can have severe impacts including:

  • Confidentiality: Attackers can gain full read access to the database, including sensitive information such as usernames, password hashes, emails, private video metadata, API secrets, and plugin configurations.
  • Integrity: Attackers can modify or delete any data, for example by elevating privileges through updating user roles.
  • Availability: Attackers can disrupt service by dropping tables or corrupting data.
  • Potential Remote Code Execution: If the MySQL server permits SELECT ... INTO OUTFILE, attackers could write PHP web shells to the server’s document root, leading to full system compromise.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the `doNotShowCats` request parameter in the `getAllCategories()` method of the WWBN AVideo platform for SQL injection weaknesses. Specifically, sending crafted inputs that use backslash escape sequences to bypass the single-quote stripping can reveal the vulnerability.'}, {'type': 'paragraph', 'content': 'A sample test input to detect the vulnerability could be: doNotShowCats[0]=\\&doNotShowCats[1]=) OR 1=1)--'}, {'type': 'paragraph', 'content': 'You can use tools like curl or Burp Suite to send HTTP requests with this parameter and observe if the response indicates SQL injection, such as unexpected data exposure or error messages.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -G \'http://target-site/objects/category.php\' --data-urlencode "doNotShowCats[0]=\\\\" --data-urlencode "doNotShowCats[1]=) OR 1=1)--"'}, {'type': 'paragraph', 'content': 'If the response returns data that should have been filtered or shows SQL errors, it indicates the presence of the vulnerability.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves properly escaping the `doNotShowCats` input parameter before it is used in SQL queries.'}, {'type': 'paragraph', 'content': 'Specifically, apply the MySQLi `real_escape_string()` function to each element of the `doNotShowCats` array to neutralize special characters including backslashes.'}, {'type': 'paragraph', 'content': 'A stronger and recommended fix is to replace the vulnerable code with parameterized queries using placeholders and binding parameters securely, which prevents SQL injection by design.'}, {'type': 'list_item', 'content': 'Convert `doNotShowCats` to an array if it is not already.'}, {'type': 'list_item', 'content': "Escape each category name using `$global['mysqli']->real_escape_string($value)`."}, {'type': 'list_item', 'content': 'Use parameterized queries with placeholders and bind parameters instead of concatenating strings directly.'}, {'type': 'paragraph', 'content': 'Upgrading to WWBN AVideo version 26.0 or later, which contains the patch for this vulnerability, is strongly advised.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart