Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2026-28501SQL Injection in Avideo

CWE-89SQL Injection6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
22.1%
top 4.20%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 6
Latest updateApr 17

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has b

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDwwbn/avideo< 24.0
Packagistwwbn/avideo21.0.0

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php2026-03-02
GHSA
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php2026-03-02

💥Exploits & PoCs

1
Metasploit
AVideo Unauthenticated SQL Injection Credential Dump

🕵️Threat Intelligence

2
Rapid7
Metasploit Wrap-Up 04/17/20262026-04-17
Wiz
CVE-2026-28501 Impact, Exploitability, and Mitigation Steps | Wiz