CVE-2026-33651 — SQL Injection in Avideo

CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 92.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 23

Latest updateMar 25

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, lea…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()↗2026-03-25

▶

OSV

AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33651 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶