Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.
Published: 2026-03-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach and Potential Account Compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unparameterized SQL injection in the Live_schedule::keyExists() method of the WWBN AVideo platform. During RTMP publish authentication, the stream key supplied by the broadcaster is inserted directly into a SQL statement without escaping or parameterization. This allows an attacker to inject arbitrary SQL, potentially reading, modifying, or deleting data related to live schedules or bypassing authentication. The weakness aligns with CWE‑89.

Affected Systems

All installations of WWBN AVideo up to and including version 26.0 are affected. The issue remains in the core Live_schedule module and is triggered when the fallback lookup for stream keys is used during RTMP authentication. No patched release is available at the time of publication, so any site running a vulnerable version and allowing public RTMP publishing is at risk.

Risk and Exploitability

The CVSS base score of 9.1 indicates a severe risk. EPSS indicates a low probability of exploitation at the moment (<1 %), and the vulnerability is not listed in the CISA KEV catalog. However, the attack path is remote and requires only a crafted stream key that can be sent over the RTMP publish channel, making it potentially accessible to anyone who can broadcast to the server. The lack of privileged prerequisites means that a normal user could leverage the flaw, emphasizing the urgency of an immediate fix.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact WWBN for a patch release or upstream fix.
  • If a patch is not available, modify Live_schedule::keyExists() to use parameterized queries or reject non‑alphanumeric stream keys.
  • Disable or restrict the RTMP publish endpoint to trusted sources only.
  • Monitor authentication logs for abnormal stream keys or SQL errors.
  • Keep the system isolated from public networks until a fix is applied.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.
Title AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:33:12.013Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34374

cve-icon Vulnrichment

Updated: 2026-03-27T19:33:07.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:42.930

Modified: 2026-03-31T18:49:13.140

Link: CVE-2026-34374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:30Z

Weaknesses