Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33723

CVE-2026-33723: Wwbn Avideo SQLi Vulnerability

CVE-2026-33723 is a SQL injection flaw in Wwbn Avideo that allows authenticated attackers to extract sensitive database information. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33723 Overview

CVE-2026-33723 is a SQL Injection vulnerability affecting WWBN AVideo, an open source video platform. In versions up to and including 26.0, the Subscribe::save() method in objects/subscribe.php concatenates the $this->users_id property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $_POST['user_id'] in both subscribe.json.php and subscribeNotify.json.php. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.

Critical Impact

Authenticated attackers can exploit this SQL Injection to extract sensitive database contents including password hashes, API keys, and encryption salts from the AVideo platform.

Affected Products

  • WWBN AVideo versions up to and including 26.0
  • All installations using the vulnerable Subscribe::save() method
  • Systems exposing subscribe.json.php or subscribeNotify.json.php endpoints

Discovery Timeline

  • 2026-03-23 - CVE CVE-2026-33723 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-33723

Vulnerability Analysis

This SQL Injection vulnerability exists in the Subscribe class within the objects/subscribe.php file. The vulnerable code path is triggered when processing subscription requests through the subscribe.json.php or subscribeNotify.json.php endpoints. The root issue is that user-controlled input from $_POST['user_id'] flows directly into the $this->users_id property, which is then concatenated into an SQL INSERT statement without any form of sanitization or use of parameterized queries.

An authenticated attacker exploiting this vulnerability can craft malicious SQL payloads that, when processed by the save() method, execute arbitrary database queries. This enables extraction of sensitive data including user credentials (password hashes), API keys, encryption salts, and other confidential information stored in the database. The attack requires only low privileges (authenticated user) and can be executed remotely over the network without any user interaction.

Root Cause

The root cause is improper input validation and the use of string concatenation to build SQL queries (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The Subscribe::save() method directly embeds the $this->users_id value into the SQL INSERT statement using PHP string interpolation ('{$this->users_id}') instead of using prepared statements with parameterized queries. This allows attackers to break out of the intended SQL context and inject their own SQL commands.

Attack Vector

The attack is network-based and requires an authenticated user session. An attacker sends a crafted HTTP POST request to either subscribe.json.php or subscribeNotify.json.php with a malicious user_id parameter containing SQL injection payload. The payload is stored in the $this->users_id property and subsequently concatenated into the INSERT query, allowing the attacker to modify the query logic or perform UNION-based attacks to exfiltrate data.

php
// Vulnerable code (before patch):
$sql = "INSERT INTO subscribes ( users_id, email,status,ip, created, modified, subscriber_users_id) VALUES ('{$this->users_id}','{$this->email}', '{$this->status}', '" . getRealIpAddr() . "',now(), now(), '$this->subscriber_users_id')";
$saved = sqlDAL::writeSql($sql);

// Fixed code (after patch - commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c):
$sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)";
$saved = sqlDAL::writeSql($sql, "isssi", [
    intval($this->users_id),
    (string) $this->email,
    (string) $this->status,
    getRealIpAddr(),
    intval($this->subscriber_users_id),
]);

Source: GitHub Commit Changes

Detection Methods for CVE-2026-33723

Indicators of Compromise

  • Unusual or malformed user_id parameters in HTTP POST requests to subscribe.json.php or subscribeNotify.json.php
  • Database query logs showing abnormal SQL syntax patterns such as UNION SELECT, single quotes, or comment sequences in INSERT statements
  • Unexpected database errors related to the subscribes table

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in POST parameters targeting subscription endpoints
  • Monitor database query logs for INSERT statements with suspicious payloads in the users_id field
  • Deploy intrusion detection signatures to identify common SQL injection attack patterns in HTTP traffic to AVideo installations

Monitoring Recommendations

  • Enable detailed logging for all requests to subscribe.json.php and subscribeNotify.json.php endpoints
  • Configure database audit logging to track all queries against the subscribes table
  • Set up alerting for authentication anomalies combined with unusual subscription activity patterns

How to Mitigate CVE-2026-33723

Immediate Actions Required

  • Update WWBN AVideo to a version containing commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c or later
  • Review database logs for signs of exploitation and check for unauthorized data access
  • Rotate sensitive credentials (password hashes, API keys, encryption salts) if exploitation is suspected

Patch Information

The vulnerability has been addressed in commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c. The fix refactors the save() method in the Subscribe class to use prepared statements with parameterized queries instead of direct string concatenation. This ensures that user input is properly bound as data rather than being interpreted as SQL code. Review the GitHub Commit Changes and GitHub Security Advisory GHSA-ffr8-fxhv-fv8h for complete patch details.

Workarounds

  • Restrict access to subscribe.json.php and subscribeNotify.json.php endpoints at the web server level until patching is complete
  • Implement input validation at the web server or reverse proxy level to reject non-numeric user_id values
  • Deploy a Web Application Firewall with SQL injection detection rules in front of the AVideo installation
bash
# Example nginx configuration to restrict access to vulnerable endpoints
location ~ ^/(subscribe\.json\.php|subscribeNotify\.json\.php)$ {
    # Allow only trusted IP ranges until patched
    allow 192.168.1.0/24;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne