CVE-2026-28501

Published: Mar 6, 2026Modified: Mar 16, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Affected (1)

Products: Wwbn: Avideo

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wwbn Avideo	Before 24.0

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (3)

https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1

Source: security-advisories@github.com

Patch

https://github.com/WWBN/AVideo/releases/tag/24.0

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.