CRITICAL🇵🇱 Wersja polska

CVE-2026-34374

CVSS 9.1v3.1pub. 2026-03-27upd. 2026-03-31

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Wwbn Avideo

    APP
    Wwbn
    ≤ 26.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-41064CRITICAL9.3PL ✓ten sam produkt

WWBN AVideo — niekompletna naprawa command injection w test.php

CVE-2026-40911CRITICAL10.0PL ✓ten sam produkt

WWBN AVideo: RCE przez eval() w pluginie YPTSocket — przejęcie kont

CVE-2026-33867CRITICAL9.1PL ✓ten sam produkt

WWBN AVideo: hasła do filmów przechowywane w bazie jako plaintext

CVE-2026-33351CRITICAL9.1PL ✓ten sam produkt

SSRF w WWBN AVideo — brak walidacji parametru URL w saveDVR.json.php

CVE-2026-33478CRITICAL10.0PL ✓ten sam produkt

RCE bez uwierzytelnienia w WWBN AVideo — łańcuch podatności w pluginie CloneSite