Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Published: 2026-03-06
Score: 9.8 Critical
EPSS: 20.9% Moderate
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

WWBN AVideo contains an unauthenticated SQL injection flaw in the objects/videos.json.php and objects/video.php handlers. The application does not sanitize the catName parameter when it is supplied via a JSON-formatted POST request body, and JSON input is merged into the $_REQUEST array after global security checks. This allows an attacker to inject arbitrary SQL statements that can read, modify, or delete data in the underlying database. The vulnerability is a high‑severity flaw and could compromise confidentiality and integrity of database information.

Affected Systems

All installations of WWBN AVideo older than version 24.0 are affected. The flaw resides in the objects/videos.json.php and objects/video.php components where the catName field is not validated when supplied through a JSON body.

Risk and Exploitability

The CVSS score is 9.8 and the EPSS probability is 21%, indicating a critical risk for deployments exposed to the public. Because the endpoint accepts unauthenticated POST requests, an attacker can exploit the flaw from any network position with minimal effort. This vulnerability is not yet listed in CISA’s KEV catalog. Since the JSON payload is processed after global checks, no additional authentication or privilege is required, making the attack vector straightforward and repeatable.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to the patched version 24.0 or later, which removes the SQL injection flaw.
  • Restrict external access to the objects/videos.json.php and objects/video.php endpoints using firewall rules or network segmentation, allowing only trusted networks or authenticated traffic.
  • If an upgrade cannot be performed immediately, add authentication checks to the JSON endpoint or disable its public access to prevent unauthenticated use until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pv87-r9qf-x56p AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Title WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:09:52.823Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28501

cve-icon Vulnrichment

Updated: 2026-03-06T16:01:33.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T04:16:08.177

Modified: 2026-03-16T15:06:55.607

Link: CVE-2026-28501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses