CVE-2026-33770
SQL Injection in WWBN AVideo Category Title Handling
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to full database read access for an attacker with admin privileges to create or rename categories. The attacker can extract sensitive data including user credentials, private video metadata, and personally identifiable information (PII).
Such unauthorized data access can compromise the confidentiality and integrity of the system's data, potentially leading to further exploitation or data breaches.
Can you explain this vulnerability to me?
CVE-2026-33770 is a high-severity SQL Injection vulnerability in the WWBN AVideo platform, specifically in the static method fixCleanTitle() located in objects/category.php. The method constructs a SQL SELECT query by directly embedding user-controlled variables, $clean_title and $id, into the query string without using prepared statements or parameterized queries.
Because $clean_title is derived from user input during category creation or renaming, an attacker with admin-level access can craft a malicious title containing SQL code. This code is then executed by the database, allowing the attacker to inject arbitrary SQL commands.
For example, an attacker could submit a title that unions the users table data with the categories query, enabling extraction of sensitive information such as usernames and passwords.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the AVideo installation is running a version prior to 26.0 and if the vulnerable method fixCleanTitle() in objects/category.php is present with direct interpolation of variables into SQL queries.
Specifically, you can look for SQL injection attempts in logs where category creation or renaming requests contain suspicious input such as SQL keywords or union select statements.
Example of a suspicious input that might indicate exploitation attempts: test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -
To detect exploitation attempts on the system, you can search web server or application logs for such payloads using commands like:
- grep -i "union select" /path/to/avideo/logs/access.log
- grep -i "test' union select" /path/to/avideo/logs/access.log
Additionally, reviewing the source code of objects/category.php for the presence of the vulnerable code snippet can be done with:
- grep -A 10 "function fixCleanTitle" /path/to/avideo/objects/category.php
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the AVideo platform to version 26.0 or later, where the vulnerability has been patched.
The patch replaces the vulnerable SQL query construction with parameterized queries using prepared statements, preventing SQL injection.
If upgrading immediately is not possible, restrict admin-level access to trusted users only, as exploitation requires authenticated admin privileges to create or rename categories.
Additionally, monitor logs for suspicious activity and consider applying temporary input validation or sanitization on category titles to block SQL metacharacters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in WWBN AVideo allows an attacker with admin-level access to extract sensitive information from the database, including usernames, passwords, private video metadata, and user personally identifiable information (PII).
Exposure of PII and credentials due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of personal data and sensitive information.
Therefore, exploitation of this vulnerability could result in violations of these standards and regulations, potentially leading to legal and financial consequences for affected organizations.