{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33352", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-23T13:53:47.260Z", "dateUpdated": "2026-03-24T17:44:35.562Z"}, "containers": {"cna": {"title": "AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj"}, {"name": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T13:53:47.260Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-mcj5-6qr4-95fj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T17:43:51.395999Z", "id": "CVE-2026-33352", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:44:35.562Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33352", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T17:43:51.395999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:44:26.443Z"}}], "cna": {"title": "AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)", "source": {"advisory": "GHSA-mcj5-6qr4-95fj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874", "name": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T13:53:47.260Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33352", "state": "PUBLISHED", "dateUpdated": "2026-03-24T17:44:35.562Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T13:53:47.260Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue."}], "id": "CVE-2026-33352", "lastModified": "2026-03-23T15:56:03.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T14:16:33.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T18:05:18.330371+00:00", "value": {"mitigation_remediation": ["Upgrade the AVideo installation to version 26.0 or later, which includes the patch for the getAllCategories() method.", "After upgrading, confirm that the file objects/category.php reflects the fixed code; if the upgrade process does not apply the change, replace the file manually with the version from the 26.0 release.", "If an immediate upgrade is not feasible, block or remove the doNotShowCats parameter in incoming requests or apply a temporary filter that rejects the parameter before it reaches the application.", "Deploy a web application firewall or additional input validation to detect and mitigate injection attempts in other parts of the system.", "Regularly monitor application logs for anomalous database queries and keep the platform signed off with the latest security patches."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "All deployments of the open\u2011source AVideo platform running any release older than 26.0 are affected. The code harboring the flaw exists in the core application files and has been fixed starting with the 26.0 release.", "description_and_impact": "In versions of the AVideo video platform before 26.0, the getAllCategories() method processes the doNotShowCats request parameter by removing only single\u2011quote characters. This removal can be bypassed with a backslash escape, allowing attackers to craft requests that inject arbitrary SQL into the database query. Because the application exposes this vulnerability to unauthenticated users, the injected SQL can read, modify, or delete data in the database, compromising confidentiality, integrity, and availability of stored media and metadata.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating a high\u2011severity risk. No defined exploit probability score is available, and the vulnerability is not listed among known exploited vulnerabilities. The lack of authentication requirements means the attack can be performed over the network with simple HTTP requests, and an attacker could retrieve or alter any database content."}}}}, "created": "2026-03-24T10:33:51.088162+00:00", "updated": "2026-03-25T21:28:07.408784+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}