CVE-2026-33025

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124	Patch
https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*

History

24 Mar 2026, 16:32

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wwbn:avideo-encoder::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~() https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124 -~~	() https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124 - Patch
References	~~() https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj -~~	() https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj - Mitigation, Vendor Advisory
First Time		Wwbn Wwbn avideo-encoder
Summary		(es) AVideo es una plataforma para compartir videos. Las versiones anteriores a la 8.0 contienen una vulnerabilidad de inyección SQL en el método getSqlFromPost() de Object.php. Las claves del array $_POST['sort'] se utilizan directamente como identificadores de columna SQL dentro de una cláusula ORDER BY. Aunque se aplicó real_escape_string(), solo escapa caracteres de contexto de cadena (comillas, bytes nulos) y no proporciona protección para los identificadores SQL — lo que la hace completamente ineficaz aquí. Este problema se ha solucionado en la versión 8.0. Para solucionar este problema sin actualizar, los operadores pueden aplicar una regla de WAF para bloquear solicitudes POST donde cualquier clave sort[*] contenga caracteres fuera de [A-Za-z0-9_]. Alternativamente, restringir el acceso a la vista de cola (queue.json.php, index.php) solo a rangos de IP de confianza.

20 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 05:16

Updated : 2026-03-24 16:32

NVD link : CVE-2026-33025

Mitre link : CVE-2026-33025

CVE.ORG link : CVE-2026-33025

JSON object : View

Products Affected

wwbn

avideo-encoder

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10