Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
Published: 2026-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise
Action: Apply Patch
AI Analysis

Impact

A SQL injection flaw exists in the AVideo video platform, where the videos_id parameter is concatenated directly into a prepared SQL statement. This partial use of prepared statements allows an attacker who can control the videos_id value—typically via a crafted HTTP request—to inject arbitrary SQL commands. The injected SQL can lead to unauthorized data reading, modification, or deletion, thereby compromising the confidentiality and integrity of the application’s database.

Affected Systems

The vulnerability affects the WWBN AVideo platform in all releases up to and including version 26.0. The flaw resides in the objects/like.php file, which is part of the core video‑handling logic. Users running any affected build of AVideo should be aware that the system is susceptible to SQL injection through the like functionality.

Risk and Exploitability

The issue carries a CVSS score of 7.1, indicating moderate to high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a crafted videos_id parameter, which can be performed from an unauthenticated or authenticated request to the like endpoint. Once executed, the attacker can execute arbitrary SQL statements against the database.

Generated by OpenCVE AI on March 31, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch from commit 0215d3c4f1ee748b8880254967b51784b8ac4080 or update AVideo to a version newer than 26.0
  • Verify that the videos_id parameter is now fully parameterized in the query
  • Test for the presence of the vulnerability using a benign SQL injection payload before and after the update

Generated by OpenCVE AI on March 31, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fj74-qxj7-r3vc AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
History

Tue, 31 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
Title AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T17:27:42.793Z

Reserved: 2026-03-23T18:30:14.127Z

Link: CVE-2026-33767

cve-icon Vulnrichment

Updated: 2026-03-27T17:27:38.441Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:29.597

Modified: 2026-03-31T16:48:14.443

Link: CVE-2026-33767

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:05Z

Weaknesses