Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.
Published: 2026-03-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing extraction of sensitive data
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an unsanitized SQL injection in the subscribe endpoint of the AVideo platform. The user_id parameter is concatenated directly into an INSERT statement, enabling any authenticated user to inject SQL and read data from any table, including password hashes and API keys. This allows compromise of confidential credentials and potentially full system takeover in the database layer.

Affected Systems

The flaw exists in the AVideo open‑source video platform produced by WWBN in all releases through version 26.0. The affected code resides in objects/subscribe.php and is accessed via the subscribe.json.php and subscribeNotify.json.php endpoints.

Risk and Exploitability

With a base CVSS score of 7.1 and an extremely low EPSS (<1%), the vulnerability is serious but unlikely to be widely exploited yet. The attacker requires authentication to reach the vulnerable endpoint, but any authenticated account can exploit it. CISA has not listed it in its KEV catalog, indicating no known widespread exploitation. The patch in commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c removes the unsanitized concatenation and restores parameterized queries.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version beyond 26.0, or apply the patch from commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c to replace the insecure SQL construction.
  • Ensure user authentication is tightly controlled, as the vulnerability requires an authenticated session.
  • Verify that the database user running the application has minimal privileges to limit the damage should an injection occur.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ffr8-fxhv-fv8h AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
History

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.
Title AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:13:32.510Z

Reserved: 2026-03-23T17:34:57.559Z

Link: CVE-2026-33723

cve-icon Vulnrichment

Updated: 2026-03-24T14:43:55.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:42.807

Modified: 2026-03-25T19:04:07.503

Link: CVE-2026-33723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:00Z

Weaknesses