Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch.
Published: 2026-03-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach
Action: Patch Now
AI Analysis

Impact

A blind SQL injection vulnerability exists in the AVideo platform’s remindMe.json.php endpoint, allowing any authenticated user to inject malicious SQL through the live_schedule_id parameter. The application passes this value through several functions without proper sanitization; only local copies are converted to integers, leaving the original tainted variable to be concatenated directly into a SQL LIKE clause. This flaw permits attackers to perform time‑based blind injections and retrieve arbitrary database contents, potentially exposing confidential user data and system configuration. The underlying weakness is identified as CWE‑89 and can lead to significant confidentiality compromise, and if the database contains privileged information, it could also impact integrity.

Affected Systems

The affected product is WWBN AVideo, an open source video platform. Versions up to and including 26.0 are vulnerable. The issue stems from the remindMe.json.php endpoint in the scheduler component, which relies on the live_schedule_id request parameter. Upgrading beyond version 26.0 or applying the vendor patch eliminates the flaw.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread exploitation yet. A valid authenticated session is required to exploit the flaw, and the attack vector is inferred to be a remote web-based request to the remindMe.json.php endpoint. Because the attack requires sustained time‑based queries to infer data, successful exploitation would likely be noticeable to vigilant monitoring. Overall, the risk remains high due to the severe impact of data exfiltration, despite the low EPSS.

Generated by OpenCVE AI on March 25, 2026 at 20:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch contained in commit 75d45780728294ededa1e3f842f95295d3e7d144 to secure the remindMe.json.php endpoint.
  • Ensure the AVideo instance is updated to a version newer than 26.0; verify the current installation version and upgrade if necessary.
  • If immediate patching is not possible, constrain access to the remindMe.json.php endpoint to trusted users or implement additional authentication checks.
  • Review database permissions and restrict access to sensitive tables to limit the potential damage from a successful injection.

Generated by OpenCVE AI on March 25, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pvw4-p2jm-chjm AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
History

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch.
Title AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:26:15.593Z

Reserved: 2026-03-23T15:23:42.217Z

Link: CVE-2026-33651

cve-icon Vulnrichment

Updated: 2026-03-24T14:26:07.584Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:41.383

Modified: 2026-03-25T18:02:12.427

Link: CVE-2026-33651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:10Z

Weaknesses