Description
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
Published: 2026-03-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

In versions of the AVideo video platform before 26.0, the getAllCategories() method processes the doNotShowCats request parameter by removing only single‑quote characters. This removal can be bypassed with a backslash escape, allowing attackers to craft requests that inject arbitrary SQL into the database query. Because the application exposes this vulnerability to unauthenticated users, the injected SQL can read, modify, or delete data in the database, compromising confidentiality, integrity, and availability of stored media and metadata.

Affected Systems

All deployments of the open‑source AVideo platform running any release older than 26.0 are affected. The code harboring the flaw exists in the core application files and has been fixed starting with the 26.0 release.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating a high‑severity risk. No defined exploit probability score is available, and the vulnerability is not listed among known exploited vulnerabilities. The lack of authentication requirements means the attack can be performed over the network with simple HTTP requests, and an attacker could retrieve or alter any database content.

Generated by OpenCVE AI on March 23, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AVideo installation to version 26.0 or later, which includes the patch for the getAllCategories() method.
  • After upgrading, confirm that the file objects/category.php reflects the fixed code; if the upgrade process does not apply the change, replace the file manually with the version from the 26.0 release.
  • If an immediate upgrade is not feasible, block or remove the doNotShowCats parameter in incoming requests or apply a temporary filter that rejects the parameter before it reaches the application.
  • Deploy a web application firewall or additional input validation to detect and mitigate injection attempts in other parts of the system.
  • Regularly monitor application logs for anomalous database queries and keep the platform signed off with the latest security patches.

Generated by OpenCVE AI on March 23, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mcj5-6qr4-95fj AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
Title AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:44:35.562Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33352

cve-icon Vulnrichment

Updated: 2026-03-24T17:44:26.443Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T14:16:33.580

Modified: 2026-03-23T15:56:03.963

Link: CVE-2026-33352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:07Z

Weaknesses