Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Published: 2026-03-06
Score: 9.8 Critical
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WWBN AVideo contains an unauthenticated SQL injection flaw in the objects\/videos.json.php and objects\/video.php components. The catName parameter in a JSON‑formatted POST request is not sanitized after JSON input is merged into $_REQUEST, allowing the payload to bypass the existing sanitization mechanisms. This flaw permits execution of arbitrary SQL statements against the database used by the application.

Affected Systems

All installations of WWBN AVideo versions earlier than 24.0 are affected. The flaw resides in the objects\/videos.json.php and objects\/video.php endpoints.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity vulnerability, and the EPSS score of 2% suggests a low but non‑zero probability of exploitation in the current environment. Based on the description, it is inferred that authentication is not required to reach the vulnerable endpoint, making the attack vector simple and accessible to anyone with network access to the application. The vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 24.0 or later, which removes the injection flaw.
  • Restrict access to the objects\/videos.json.php and objects\/video.php endpoints using firewall rules or network segmentation so that only trusted networks or authenticated traffic can reach them.
  • If an upgrade cannot be performed immediately, add authentication checks to the JSON endpoint or disable external access to it until the patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pv87-r9qf-x56p AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Title WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:09:52.823Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28501

cve-icon Vulnrichment

Updated: 2026-03-06T16:01:33.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T04:16:08.177

Modified: 2026-06-17T10:28:45.280

Link: CVE-2026-28501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T15:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')