CVE-2026-34374 - Vulnerability Details

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.

Published: 2026-03-27

Score: 9.1 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the Live_schedule::keyExists() function, which concatenates a stream key directly into an SQL query without using parameterized statements. This bypass occurs during RTMP publish authentication, allowing an attacker to supply a specially crafted stream key that injects arbitrary SQL. Successful exploitation could give the attacker read and write access to the database, permitting data exfiltration, tampering with user accounts, or altering system configuration. The vulnerability is classified as CWE-89, indicating a classic SQL injection weakness.

Affected Systems

The affected product is WWBN AVideo, an open source video platform. All releases up to and including version 26.0 are vulnerable. No patched version is currently available; vendors have not released an update at the time of this advisory.

Risk and Exploitability

The CVSS score is 9.1, representing high severity. EPSS data is unavailable and the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog. It is inferred that the attack vector involves an RTMP publisher sending a malicious stream key during authentication. Because the injection opportunity exists on a public-facing broadcast endpoint, attackers with any RTMP client capability could potentially exploit the flaw, provided they know a valid broadcast URL.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AVideo to a version beyond 26.0 when it becomes available
Restrict RTMP publishing to trusted IP addresses or networks
Implement firewall rules to block unsolicited RTMP connections
Enable logging for failed login attempts and monitor for anomalous SQL injection patterns
Apply general web application security best practices, such as sanitizing all user inputs and using parameterized queries in all database interactions

Generated by OpenCVE AI on March 27, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88

History

Fri, 27 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.
Title		AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
Weaknesses		CWE-89
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T18:16:22.155Z

Updated: 2026-03-27T19:33:12.013Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34374

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T19:16:42.930

Modified: 2026-03-27T19:16:42.930

Link: CVE-2026-34374

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:48Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object