CVE-2026-28501
published 2026-03-06CVE-2026-28501: WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.51%
71.3th percentile
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | < 24.0 | 24.0 |
| wwbn | avideo | 0 – 21.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to objects/videos.json.php and objects/video.php with a JSON-formatted body containing a 'catName' parameter, as this is the injection vector that bypasses sanitization in security.php ↗
- →Alert on SQL injection payloads using BENCHMARK() in the catName parameter of AVideo endpoints; SLEEP()-based payloads are blocked but BENCHMARK()-based time-blind injection is the active exploitation technique ↗
- →The injection bypasses security.php's GET/POST sanitization because JSON body parsing and merging into $_REQUEST occurs after the security filter runs; inspect JSON Content-Type POST bodies to objects/videos.json.php for catName keys ↗
- →A public Metasploit auxiliary module (gather/avideo_catname_sqli) exists for this CVE and is capable of dumping usernames and password hashes unauthenticated; expect exploitation attempts matching this module's behavior ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
osv·2026-03-02
CVE-2026-28501 [CRITICAL] AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
## Impact
An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components.
The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms.
This allows an unauthenticated attacker to:
- Execute arbitrary SQL queries
- Perform full database exfiltration
- Extract sensitive data including administrator usernames, password hashes, session identifiers and user records
- Potentially escalate privileges by cracking passw
GHSA
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
ghsa·2026-03-02
CVE-2026-28501 [CRITICAL] CWE-89 AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
## Impact
An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components.
The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms.
This allows an unauthenticated attacker to:
- Execute arbitrary SQL queries
- Perform full database exfiltration
- Extract sensitive data including administrator usernames, password hashes, session identifiers and user records
- Potentially escalate privileges by cracking passw
No detection rules found.
Rapid7
Metasploit Wrap-Up 04/17/2026
blogs_rapid7·2026-04-17·CVSS 9.8
CVE-2026-28501 [CRITICAL] Metasploit Wrap-Up 04/17/2026
## Happy Friday - Seven New Metasploit Modules
We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS.
What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking.
## New module content (7)
## AVideo Unauthenticated SQL Injection Credential Dump
Authors: Valentin Lobstein [email protected] and arkmarta
Type: Auxiliary
Pull request: #21075 contributed by Chocapikk
Path: gather/avideo_ca
Wiz
CVE-2026-28501 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28501 [CRITICAL] CVE-2026-28501 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28501 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Source : NVD
## 9.8
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
2026-03-06
Published