CVE-2026-33770
Received Received - Intake
SQL Injection in WWBN AVideo Category Title Handling

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33770
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to full database read access for an attacker with admin privileges to create or rename categories. The attacker can extract sensitive data including user credentials, private video metadata, and personally identifiable information (PII).

Such unauthorized data access can compromise the confidentiality and integrity of the system's data, potentially leading to further exploitation or data breaches.

Executive Summary

CVE-2026-33770 is a high-severity SQL Injection vulnerability in the WWBN AVideo platform, specifically in the static method fixCleanTitle() located in objects/category.php. The method constructs a SQL SELECT query by directly embedding user-controlled variables, $clean_title and $id, into the query string without using prepared statements or parameterized queries.

Because $clean_title is derived from user input during category creation or renaming, an attacker with admin-level access can craft a malicious title containing SQL code. This code is then executed by the database, allowing the attacker to inject arbitrary SQL commands.

For example, an attacker could submit a title that unions the users table data with the categories query, enabling extraction of sensitive information such as usernames and passwords.

Detection Guidance

This vulnerability can be detected by checking if the AVideo installation is running a version prior to 26.0 and if the vulnerable method fixCleanTitle() in objects/category.php is present with direct interpolation of variables into SQL queries.

Specifically, you can look for SQL injection attempts in logs where category creation or renaming requests contain suspicious input such as SQL keywords or union select statements.

Example of a suspicious input that might indicate exploitation attempts: test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -

To detect exploitation attempts on the system, you can search web server or application logs for such payloads using commands like:

  • grep -i "union select" /path/to/avideo/logs/access.log
  • grep -i "test' union select" /path/to/avideo/logs/access.log

Additionally, reviewing the source code of objects/category.php for the presence of the vulnerable code snippet can be done with:

  • grep -A 10 "function fixCleanTitle" /path/to/avideo/objects/category.php
Mitigation Strategies

The immediate mitigation step is to upgrade the AVideo platform to version 26.0 or later, where the vulnerability has been patched.

The patch replaces the vulnerable SQL query construction with parameterized queries using prepared statements, preventing SQL injection.

If upgrading immediately is not possible, restrict admin-level access to trusted users only, as exploitation requires authenticated admin privileges to create or rename categories.

Additionally, monitor logs for suspicious activity and consider applying temporary input validation or sanitization on category titles to block SQL metacharacters.

Compliance Impact

The SQL Injection vulnerability in WWBN AVideo allows an attacker with admin-level access to extract sensitive information from the database, including usernames, passwords, private video metadata, and user personally identifiable information (PII).

Exposure of PII and credentials due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of personal data and sensitive information.

Therefore, exploitation of this vulnerability could result in violations of these standards and regulations, potentially leading to legal and financial consequences for affected organizations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart