WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
References
| Link | Resource |
|---|---|
| https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874 | Patch |
| https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj | Exploit Mitigation Vendor Advisory |
Configurations
History
23 Mar 2026, 15:56
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wwbn
Wwbn avideo |
|
| References | () https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874 - Patch | |
| References | () https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj - Exploit, Mitigation, Vendor Advisory | |
| CPE | cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* |
23 Mar 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-23 14:16
Updated : 2026-03-23 15:56
NVD link : CVE-2026-33352
Mitre link : CVE-2026-33352
CVE.ORG link : CVE-2026-33352
JSON object : View
Products Affected
wwbn
- avideo
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')