{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33770", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.128Z", "datePublished": "2026-03-27T16:13:51.872Z", "dateUpdated": "2026-03-27T16:13:51.872Z"}, "containers": {"cna": {"title": "AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf"}, {"name": "https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T16:13:51.872Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch."}], "source": {"advisory": "GHSA-584p-rpvq-35vf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch."}], "id": "CVE-2026-33770", "lastModified": "2026-03-27T17:16:29.747", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T17:16:29.747", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T17:21:11.897998+00:00", "value": {"mitigation_remediation": ["Apply the patch referenced in commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 or upgrade to AVideo version 26.1 or later", "Verify that the application no longer uses unparameterized SQL in the category module", "Monitor database logs for unexpected SELECT queries on the category table to detect potential exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Database compromise"}, "threat_synthesis": {"affected_systems": "This flaw affects the WWBN AVideo open\u2011source video platform in all releases up to and including version 26.0. The issue originates from the fixCleanTitle() method in objects/category.php; any deployment that still hosts these legacy releases is vulnerable. Upgrading past 26.0 removes the vulnerable code path.", "description_and_impact": "The vulnerability is a classic SQL injection flaw in the category creation or renaming flow. An attacker who can set the category title with carefully crafted content can embed arbitrary SQL into a SELECT statement executed by the application. Because the application builds the query by directly inserting the title and id parameters, the injected SQL can read, modify, or delete data from the database, exposing sensitive information or allowing destructive data loss.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high impact severity. No EPSS value is available, but the absence of a KEV listing does not imply low risk. The attack vector is likely remote and requires the ability to trigger category creation or renaming via the web interface or API; once enabled, the attacker can execute arbitrary SQL. The exploit is straightforward for those who can craft the title field, so the risk to installations that expose this UI or API to untrusted users is significant."}}}}, "created": "2026-03-27T20:28:08.128760+00:00", "updated": "2026-03-27T20:28:08.128840+00:00", "vendors": []}