CVE-2026-28501

CRITICAL EPSS 71.2%
Published Mar 6, 20263mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Mar 6, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
71.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
wwbnavideo* <24.0

References 3

  • github.com https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1
    Patch
  • github.com https://github.com/WWBN/AVideo/releases/tag/24.0
    ProductRelease Notes
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p
    Vendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1
    Patch