CVE-2026-33025 — SQL Injection in Avideo-encoder

CWE-89 — SQL Injection1 documents1 sources

Severity

8.6HIGHNVD

EPSS

0.0%

top 90.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo-encoder

Timeline

PublishedMar 20

Description

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issu…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶NVDwwbn/avideo-encoder< 8.0

Patches

Patch: github.com ↗