CVE-2026-33651
Received Received - Intake
Time-Based Blind SQL Injection in WWBN AVideo Scheduler Component

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33651
EUVD
EUVD-2026-14490
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33651 is a high-severity blind SQL injection vulnerability in the WWBN AVideo platform, specifically in the Live Schedule Reminder feature. The vulnerability occurs because the `live_schedule_id` parameter from the `remindMe.json.php` endpoint is passed through multiple functions without proper sanitization and is ultimately concatenated directly into a SQL LIKE clause in the `Scheduler_commands::getAllActiveOrToRepeat()` method.

Although some intermediate functions apply `intval()` to local copies of the parameter, the original variable remains unsanitized and tainted. This allows any authenticated user to perform time-based blind SQL injection attacks by injecting malicious SQL code into the `live_schedule_id` parameter.

Exploitation can include delaying responses to confirm injection and extracting sensitive database information such as admin credentials, user personal data, API keys, and session tokens. The vulnerability has a CVSS v3.1 score of 8.1, indicating high severity.

Impact Analysis

This vulnerability can have serious impacts including full database read access by an attacker, allowing extraction of sensitive information such as admin credentials, user emails, passwords, API keys, and session tokens.

There is also potential for data modification if the database user has sufficient privileges, enabling attackers to insert, update, or delete data.

Additionally, attackers can perform account takeover by extracting admin password hashes or session tokens.

The attack complexity is low, requiring only authenticated user privileges and no user interaction beyond authentication.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing time delays in responses when sending specially crafted requests to the `remindMe.json.php` endpoint with the `live_schedule_id` parameter.'}, {'type': 'paragraph', 'content': 'For example, an authenticated user can test for time-based blind SQL injection by sending a request with `live_schedule_id=1" AND SLEEP(5) -- ` and checking if the response is delayed by approximately 5 seconds.'}, {'type': 'paragraph', 'content': 'A sample command using curl to test this could be:'}, {'type': 'list_item', 'content': 'curl -b cookies.txt "https://your-avideo-instance/plugin/Live/remindMe.json.php?live_schedule_id=1%22%20AND%20SLEEP(5)%20--%20"'}, {'type': 'paragraph', 'content': 'Where `-b cookies.txt` contains authentication cookies for an authenticated user session.'}, {'type': 'paragraph', 'content': 'If the response time is significantly increased (e.g., delayed by 5 seconds), it indicates the presence of the SQL injection vulnerability.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Apply input sanitization by casting the `live_schedule_id` parameter to an integer at the entry point in `plugin/Live/remindMe.json.php` using `intval()`.
  • Refactor the vulnerable SQL query in `Scheduler_commands::getAllActiveOrToRepeat()` to use parameterized queries with prepared statements instead of directly concatenating user input.
  • Ensure that the patch from commit 75d45780728294ededa1e3f842f95295d3e7d144 is applied, which implements both input sanitization and SQL query parameterization.

These steps prevent SQL injection by ensuring that user input is properly sanitized and safely incorporated into SQL queries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart