Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4Patch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vfExploitVendor Advisory
FAQ
What is CVE-2026-33770?
CVE-2026-33770 is a vulnerability with a CVSS score of 9.8 (CRITICAL). WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolatin...
How severe is CVE-2026-33770?
CVE-2026-33770 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33770?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.