CVE-2026-33723
Received Received - Intake
SQL Injection in WWBN AVideo Subscribe Method Allows Data Theft

Publication date: 2026-03-23

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33723
EUVD
EUVD-2026-14508
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33723 is a high-severity SQL Injection vulnerability in the WWBN AVideo platform (versions up to 26.0). It occurs because the Subscribe::save() method in the subscribe.php file directly concatenates the users_id property, which originates from unsanitized user input ($_POST['user_id']), into an SQL INSERT query without any sanitization or parameterized binding."}, {'type': 'paragraph', 'content': 'An authenticated attacker can exploit this flaw by injecting malicious SQL code through the user_id POST parameter in the subscribe.json.php and subscribeNotify.json.php endpoints. This allows the attacker to execute arbitrary SQL commands, including extracting sensitive data such as password hashes, API keys, and encryption salts from the database.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the users_id property is assigned directly from the raw POST data without sanitization, and the save() method executes SQL queries by concatenating this property directly into the query string without using parameterized queries or escaping.'}] [1]

Impact Analysis

This vulnerability allows any authenticated user to perform SQL injection attacks on the WWBN AVideo platform, leading to significant security impacts.

  • Full read access to the entire database.
  • Extraction of sensitive data including user password hashes, admin credentials, encryption salts, API keys, email addresses, and personal user data.
  • Insertion of arbitrary rows into the subscribes table, compromising data integrity.
  • Potential manipulation or disruption of subscription-related data.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the Subscribe endpoints (`subscribe.json.php` and `subscribeNotify.json.php`) for SQL injection via the `user_id` POST parameter.'}, {'type': 'paragraph', 'content': 'One method is to perform a time-based blind SQL injection test by sending a crafted `user_id` value that includes a SQL sleep function (e.g., `SLEEP(5)`) and observing if the response is delayed, indicating injection is possible.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for time-based SQL injection:'}, {'type': 'list_item', 'content': 'curl -X POST -d "user_id=1 OR SLEEP(5)-- " https://your-avideo-instance/subscribe.json.php'}, {'type': 'paragraph', 'content': 'If the response time is significantly delayed (around 5 seconds), it suggests the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, attempts to inject SQL payloads that extract data or modify the database can be used to confirm the vulnerability.'}] [1]

Mitigation Strategies

Immediate mitigation steps include sanitizing the `user_id` input by applying `intval()` to ensure it is an integer before using it in SQL queries.

More robust mitigation involves updating the `Subscribe::save()` method to use parameterized SQL queries with proper binding of all user-controllable inputs, including `users_id`, `email`, `status`, and IP address.

Specifically, replace direct concatenation of variables into SQL statements with prepared statements using placeholders and bind parameters accordingly.

Applying the patch from commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c is recommended, as it refactors the vulnerable code to use parameterized queries, effectively preventing SQL injection.

Until the patch is applied, restrict access to the vulnerable endpoints to trusted authenticated users and monitor for suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart