CVE-2026-33767
SQL Injection in WWBN AVideo like.php Allows Data Manipulation
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33767 is a high-severity SQL Injection vulnerability in the WWBN AVideo open source video platform, specifically in the file objects/like.php within the getLike() method.
The vulnerability occurs because the SQL query uses a prepared statement placeholder for the users_id parameter but directly concatenates the videos_id value into the query string without parameterization or validation.
Since videos_id is derived from user-supplied input and is not sanitized or cast to an integer, an attacker who can control this value (via a crafted request) can inject arbitrary SQL code, bypassing the partial prepared-statement protection.
This allows an attacker to perform UNION-based SQL injection attacks to read sensitive data from the database, such as user credentials and emails.
How can this vulnerability impact me? :
This vulnerability can have a significant impact because it allows an authenticated attacker to inject arbitrary SQL commands into the database query.
The attacker can read sensitive data from the database, including user credentials and private information.
Depending on the database user's privileges, the attacker might also be able to modify or delete data.
Since liking or disliking videos is generally available to any authenticated user, the attack surface is broad.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious SQL injection attempts targeting the videos_id parameter in requests to the like or dislike functionality of the WWBN AVideo platform.
A practical detection method is to look for HTTP POST or GET requests containing unusual or crafted videos_id values that include SQL keywords or syntax, such as UNION SELECT statements.
For example, you can use network monitoring tools or web server logs to search for requests with videos_id parameters containing SQL injection payloads.
- Using grep on web server logs to find suspicious videos_id values: grep -i 'videos_id=.*union' /var/log/apache2/access.log
- Using a packet capture tool like tcpdump or Wireshark to filter HTTP POST requests containing 'videos_id' parameter with suspicious content.
- Testing the endpoint manually or with a tool like curl by sending crafted requests, for example: curl -X POST -d 'videos_id=1 UNION SELECT user,password,3,4,5,6,7,8 FROM users-- -' https://your-avideo-instance/objects/like.php
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the WWBN AVideo platform to version 26.0 or later, where the vulnerability has been patched.
The patch replaces the unsafe concatenation of the videos_id parameter in SQL queries with properly parameterized prepared statements and enforces integer type casting on the videos_id input.
If upgrading immediately is not possible, as a temporary measure, you can implement input validation or filtering at the web server or application firewall level to block suspicious videos_id values containing SQL syntax.
Additionally, review and restrict database user privileges to minimize potential damage from SQL injection attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to perform SQL injection to read sensitive data from the database, including user credentials, emails, and other private content accessible to the MySQL user.
Such unauthorized access to personal and sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal information against unauthorized access and breaches.
Therefore, this vulnerability poses a significant risk to compliance with these regulations by potentially exposing protected personal data.