Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
Published: 2026-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the static method fixCleanTitle() in objects/category.php. It builds a SQL SELECT query by directly inserting the $clean_title and $id values into the query string without using prepared statements. Because of this, an attacker who can trigger category creation or renaming with a crafted title can inject arbitrary SQL statements, which can lead to unauthorized data disclosure, modification, or deletion. This flaw is a classic case of CWE‑89 (SQL injection).

Affected Systems

The affected product is WWBN AVideo, an open‑source video platform. Versions up to and including 26.0 are impacted. The vulnerability is present in the category handling code and can be triggered by any user who has capability to create or rename categories within the platform.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high‑severity flaw. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The exploitation path requires the attacker to interact with the category API or admin interface, providing a specially crafted title value. Although the vector is likely via local or remote web interface, the need for category manipulation limits the scope to users with those privileges.

Generated by OpenCVE AI on March 31, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 or upgrade to AVideo version 26.1 or newer.
  • If immediate upgrade is not possible, ensure that category titles are sanitized and the query uses prepared statements; avoid direct interpolation.
  • Verify that the category creation and renaming endpoints enforce proper authentication and authorization.
  • Monitor database activity for anomalous SELECT or DML statements that may indicate exploitation attempts.

Generated by OpenCVE AI on March 31, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-584p-rpvq-35vf AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
History

Tue, 31 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
Title AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:29:27.273Z

Reserved: 2026-03-23T18:30:14.128Z

Link: CVE-2026-33770

cve-icon Vulnrichment

Updated: 2026-03-31T13:29:23.141Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:29.747

Modified: 2026-03-31T16:46:25.347

Link: CVE-2026-33770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:04Z

Weaknesses