CRITICAL🇵🇱 Wersja polska

CVE-2026-33352

CVSS 9.8v3.1pub. 2026-03-23

WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.

🤖 AI Analysis
How it works

The `getAllCategories()` method in the `objects/category.php` file accepts a `doNotShowCats` request parameter and sanitizes it only by removing single quote characters (`str_replace("'", '', ...)`). This protection can be trivially bypassed using backslash escape technique, which shifts the string boundaries in the SQL query, enabling injection of arbitrary SQL code. This parameter is not covered by any global input filter defined in `objects/security.php`, further facilitating exploitation.

Impact

An unprivileged remote attacker can read, modify, or delete data from the application database, resulting in complete compromise of data confidentiality, integrity, and availability.

Mitigation & patch

WWBN AVideo should be updated to version 26.0, which contains the official patch for this vulnerability. Patch details are available in the GitHub repository at the address specified in the references.

Who is affected

WWBN AVideo in versions prior to 26.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Wwbn Avideo

    APP
    Wwbn
    < 26.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-41064CRITICAL9.3PL ✓ten sam produkt

WWBN AVideo — niekompletna naprawa command injection w test.php

CVE-2026-40911CRITICAL10.0PL ✓ten sam produkt

WWBN AVideo: RCE przez eval() w pluginie YPTSocket — przejęcie kont

CVE-2026-33867CRITICAL9.1PL ✓ten sam produkt

WWBN AVideo: hasła do filmów przechowywane w bazie jako plaintext

CVE-2026-34374CRITICAL9.1PL ✓ten sam produkt

SQL Injection w WWBN AVideo — mechanizm uwierzytelniania RTMP

CVE-2026-33351CRITICAL9.1PL ✓ten sam produkt

SSRF w WWBN AVideo — brak walidacji parametru URL w saveDVR.json.php