CVE-2026-33723 — SQL Injection in Avideo

CWE-89 — SQL Injection4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 94.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 23

Latest updateMar 25

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password h…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter↗2026-03-25

▶

GHSA

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33723 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶