cbcvebase.
CVE-2026-28501
published 2026-03-06

CVE-2026-28501: WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.51%
71.3th percentile
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
wwbnavideo< 24.024.0
wwbnavideo0 – 21.0.0

Detection & IOCsextracted from sources · hover to see the quote

pathobjects/videos.json.php
pathobjects/video.php
  • Monitor POST requests to objects/videos.json.php and objects/video.php with a JSON-formatted body containing a 'catName' parameter, as this is the injection vector that bypasses sanitization in security.php
  • Alert on SQL injection payloads using BENCHMARK() in the catName parameter of AVideo endpoints; SLEEP()-based payloads are blocked but BENCHMARK()-based time-blind injection is the active exploitation technique
  • The injection bypasses security.php's GET/POST sanitization because JSON body parsing and merging into $_REQUEST occurs after the security filter runs; inspect JSON Content-Type POST bodies to objects/videos.json.php for catName keys
  • A public Metasploit auxiliary module (gather/avideo_catname_sqli) exists for this CVE and is capable of dumping usernames and password hashes unauthenticated; expect exploitation attempts matching this module's behavior
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.