Description
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
Published: 2026-03-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Upgrade
AI Analysis

Impact

A video-sharing platform before version 8.0 is vulnerable to authenticated SQL injection. The getSqlFromPost() method uses $_POST['sort'] array keys directly as SQL column identifiers in an ORDER BY clause without proper validation. Although real_escape_string was applied, it only protects string contexts and does not escape identifiers, allowing an attacker with a valid session to inject arbitrary SQL code. This can lead to unauthorized data disclosure, modification, or elevation of privileges. The flaw maps to CWE‑89, a classic SQL injection weakness.

Affected Systems

The affected product is WWBN’s AVideo‑Encoder. Any installation running a version earlier than 8.0 of the platform is susceptible. No other vendor or product is listed; the vulnerability is tied solely to the AVideo code base prior to the 8.0 release.

Risk and Exploitability

The CVSS score is 8.6, indicating high severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not referenced in the CISA KEV catalog. Exploitation requires an authenticated user to craft a POST request targeting the sort parameter, which is then reflected in the ORDER BY clause, enabling arbitrary SQL commands. Because the attack vector is limited to authenticated sessions, the overall risk is mitigated by the need for valid credentials, but once obtained, the impact can be significant.

Generated by OpenCVE AI on March 24, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo‑Encoder version 8.0 or newer.
  • If an upgrade is not immediately possible, configure a web application firewall to reject POST requests where any sort[ ] key contains characters outside the set [A-Za-z0-9_].
  • Limit access to the queue view and index page to trusted IP ranges to reduce exposure
  • Regularly monitor access logs for anomalous sort parameters and respond to suspicious activity.

Generated by OpenCVE AI on March 24, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo-encoder
Vendors & Products Wwbn
Wwbn avideo-encoder

Fri, 20 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
Title AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo-encoder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:53:06.246Z

Reserved: 2026-03-17T17:22:14.668Z

Link: CVE-2026-33025

cve-icon Vulnrichment

Updated: 2026-03-20T13:53:02.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:15.877

Modified: 2026-03-24T16:32:11.757

Link: CVE-2026-33025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:29Z

Weaknesses