CVE-2026-33767
Received Received - Intake
SQL Injection in WWBN AVideo like.php Allows Data Manipulation

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33767
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to perform SQL injection to read sensitive data from the database, including user credentials, emails, and other private content accessible to the MySQL user.

Such unauthorized access to personal and sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal information against unauthorized access and breaches.

Therefore, this vulnerability poses a significant risk to compliance with these regulations by potentially exposing protected personal data.

Executive Summary

CVE-2026-33767 is a high-severity SQL Injection vulnerability in the WWBN AVideo open source video platform, specifically in the file objects/like.php within the getLike() method.

The vulnerability occurs because the SQL query uses a prepared statement placeholder for the users_id parameter but directly concatenates the videos_id value into the query string without parameterization or validation.

Since videos_id is derived from user-supplied input and is not sanitized or cast to an integer, an attacker who can control this value (via a crafted request) can inject arbitrary SQL code, bypassing the partial prepared-statement protection.

This allows an attacker to perform UNION-based SQL injection attacks to read sensitive data from the database, such as user credentials and emails.

Impact Analysis

This vulnerability can have a significant impact because it allows an authenticated attacker to inject arbitrary SQL commands into the database query.

The attacker can read sensitive data from the database, including user credentials and private information.

Depending on the database user's privileges, the attacker might also be able to modify or delete data.

Since liking or disliking videos is generally available to any authenticated user, the attack surface is broad.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious SQL injection attempts targeting the videos_id parameter in requests to the like or dislike functionality of the WWBN AVideo platform.

A practical detection method is to look for HTTP POST or GET requests containing unusual or crafted videos_id values that include SQL keywords or syntax, such as UNION SELECT statements.

For example, you can use network monitoring tools or web server logs to search for requests with videos_id parameters containing SQL injection payloads.

  • Using grep on web server logs to find suspicious videos_id values: grep -i 'videos_id=.*union' /var/log/apache2/access.log
  • Using a packet capture tool like tcpdump or Wireshark to filter HTTP POST requests containing 'videos_id' parameter with suspicious content.
  • Testing the endpoint manually or with a tool like curl by sending crafted requests, for example: curl -X POST -d 'videos_id=1 UNION SELECT user,password,3,4,5,6,7,8 FROM users-- -' https://your-avideo-instance/objects/like.php
Mitigation Strategies

The immediate mitigation step is to upgrade the WWBN AVideo platform to version 26.0 or later, where the vulnerability has been patched.

The patch replaces the unsafe concatenation of the videos_id parameter in SQL queries with properly parameterized prepared statements and enforces integer type casting on the videos_id input.

If upgrading immediately is not possible, as a temporary measure, you can implement input validation or filtering at the web server or application firewall level to block suspicious videos_id values containing SQL syntax.

Additionally, review and restrict database user privileges to minimize potential damage from SQL injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart