Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33770

CVE-2026-33770: WWBN AVideo SQL Injection Vulnerability

CVE-2026-33770 is a SQL injection flaw in WWBN AVideo that allows attackers to inject arbitrary SQL through crafted category titles. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33770 Overview

CVE-2026-33770 is a SQL Injection vulnerability in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $clean_title and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation.

Critical Impact

Authenticated attackers with category management privileges can exploit this SQL injection to extract sensitive data from the database, including user credentials and private video metadata.

Affected Products

  • WWBN AVideo versions up to and including 26.0

Discovery Timeline

  • 2026-03-27 - CVE CVE-2026-33770 published to NVD
  • 2026-03-31 - Last updated in NVD database

Technical Details for CVE-2026-33770

Vulnerability Analysis

This SQL Injection vulnerability exists in the fixCleanTitle() static method within objects/category.php. The function is responsible for ensuring category names are unique when creating or renaming categories. The vulnerable code directly concatenates user-controlled input ($clean_title and $id) into a raw SQL query string without any sanitization or use of parameterized queries.

When a user with category management privileges creates or renames a category, the title value passes through this function. An attacker can craft a malicious title containing SQL metacharacters that break out of the intended query context, allowing them to append arbitrary SQL statements. This can be leveraged to read sensitive data from other database tables, bypass authentication checks, or enumerate the database schema.

Root Cause

The root cause is the use of direct string interpolation for constructing SQL queries instead of using prepared statements with parameterized queries. The vulnerable code builds the query by embedding $clean_title and $id variables directly into the SQL string using PHP's variable interpolation syntax ({$variable}), which provides no protection against SQL injection attacks.

Attack Vector

The attack requires network access and low-privilege authentication (PR:L). An attacker who can access the category management functionality (typically available to content moderators or administrators) can exploit this vulnerability by:

  1. Navigating to the category creation or editing interface
  2. Submitting a crafted category title containing SQL injection payloads
  3. The malicious input is passed to fixCleanTitle() where it gets interpolated into the SQL query
  4. The injected SQL executes with the privileges of the database connection

The following patch shows how the vulnerability was addressed by implementing prepared statements:

php
             $original_title = $clean_title;
         }
 
-        $sql = "SELECT * FROM categories WHERE clean_name = '{$clean_title}' ";
+        $id = intval($id);
         if (!empty($id)) {
-            $sql .= " AND id != {$id} ";
+            $sql = "SELECT * FROM categories WHERE clean_name = ? AND id != ? LIMIT 1";
+            $res = sqlDAL::readSql($sql, "si", [$clean_title, $id], true);
+        } else {
+            $sql = "SELECT * FROM categories WHERE clean_name = ? LIMIT 1";
+            $res = sqlDAL::readSql($sql, "s", [$clean_title], true);
         }
-        $sql .= " LIMIT 1";
-        $res = sqlDAL::readSql($sql, "", [], true);
         $cleanTitleExists = sqlDAL::fetchAssoc($res);
         sqlDAL::close($res);
         if (!empty($cleanTitleExists)) {

Source: GitHub Commit Update

Detection Methods for CVE-2026-33770

Indicators of Compromise

  • Unusual SQL error messages in application logs related to category operations
  • Database query logs showing unexpected UNION, SELECT, or subquery patterns in category-related queries
  • Anomalous access patterns to the category management endpoints
  • Evidence of data exfiltration or unauthorized database reads in audit logs

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in category name parameters
  • Monitor database query logs for suspicious SQL syntax including UNION-based injection signatures
  • Deploy runtime application self-protection (RASP) to detect SQL injection attempts at the application layer
  • Review access logs for repeated requests to category creation/editing endpoints with unusual payloads

Monitoring Recommendations

  • Enable detailed logging for all category management operations in AVideo
  • Configure database auditing to track queries executed against the categories table
  • Set up alerts for failed or malformed SQL queries originating from the application
  • Monitor for authentication anomalies from accounts with category management privileges

How to Mitigate CVE-2026-33770

Immediate Actions Required

  • Update WWBN AVideo to a version that includes commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 or later
  • Review database access logs for any signs of prior exploitation
  • Restrict category management privileges to trusted administrators only
  • Implement network-level access controls to limit exposure of the AVideo administrative interface

Patch Information

The vulnerability has been addressed in commit 994cc2b3d802b819e07e6088338e8bf4e484aae4. The fix refactors the SQL query in the fixCleanTitle() method to use prepared statements with proper parameter binding. The $id parameter is also explicitly cast to an integer using intval() as an additional defense layer. Organizations should update to a version containing this fix. Refer to the GitHub Security Advisory GHSA-584p-rpvq-35vf for official guidance.

Workarounds

  • Temporarily disable category creation and renaming functionality until the patch is applied
  • Implement input validation at the web server or WAF level to block SQL metacharacters in category titles
  • Restrict database user permissions to limit the impact of potential SQL injection exploitation
  • Place the AVideo instance behind a reverse proxy with request filtering capabilities
bash
# Example: Restrict category management via .htaccess (temporary workaround)
<LocationMatch "/admin/category">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
</LocationMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne