{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33485", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.971Z", "datePublished": "2026-03-23T14:14:15.477Z", "dateUpdated": "2026-03-25T14:17:20.198Z"}, "containers": {"cna": {"title": "AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx"}, {"name": "https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:14:15.477Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations \u2014 `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` \u2014 without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch."}], "source": {"advisory": "GHSA-8p58-35c3-ccxx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:15:14.111625Z", "id": "CVE-2026-33485", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:17:20.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33485", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:15:14.111625Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:16:44.720Z"}}], "cna": {"title": "AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter", "source": {"advisory": "GHSA-8p58-35c3-ccxx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549", "name": "https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations \u2014 `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` \u2014 without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:14:15.477Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33485", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:17:20.198Z", "dateReserved": "2026-03-20T16:16:48.971Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T14:14:15.477Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations \u2014 `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` \u2014 without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el callback RTMP 'on_publish' en 'plugin/Live/on_publish.php' es accesible sin autenticaci\u00f3n. El par\u00e1metro '$_POST['name']' (clave de transmisi\u00f3n) se interpola directamente en consultas SQL en dos ubicaciones \u2014 'LiveTransmitionHistory::getLatest()' y 'LiveTransmition::keyExists()' \u2014 sin enlace parametrizado ni escape. Un atacante no autenticado puede explotar una inyecci\u00f3n SQL ciega basada en tiempo para extraer todo el contenido de la base de datos, incluyendo hashes de contrase\u00f1as de usuarios, direcciones de correo electr\u00f3nico y otros datos sensibles. El commit af59eade82de645b20183cc3d74467a7eac76549 contiene un parche."}], "id": "CVE-2026-33485", "lastModified": "2026-03-24T18:35:45.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T15:16:34.887", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T19:28:52.775376+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version newer than 26.0 that includes the patch in commit af59eade82de645b20183cc3d74467a7eac76549", "If an upgrade is unavailable, restrict access to the RTMP on_publish endpoint so that only authenticated clients can reach it", "Consider disabling the Live Transmition plugin or removing the on_publish callback entirely if RTMP streaming is not used", "Monitor database logs for suspicious slow queries that may indicate ongoing attempts to exploit the injection"], "summary": {"action": "Immediate Patch", "impact": "Data Exfiltration via Blind SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WWBN AVideo platform, versions up to and including 26.0. Any deployment of these versions that exposes the RTMP on_publish endpoint without authentication is at risk. Upgrading to a version that includes the patch in commit af59eade82de645b20183cc3d74467a7eac76549 removes the flaw.", "description_and_impact": "The error occurs when an attacker supplies a crafted stream name during the RTMP on_publish callback. The application directly interpolates the stream key into two SQL statements within LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() without parameter binding or escaping. This results in a time\u2011based blind SQL injection that can be leveraged by an unauthenticated user to read every row from the database, including password hashes and email addresses. Because the data is publicly available to anyone who can initiate an RTMP publish request, the confidentiality of user accounts is fully compromised.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the issue as high severity. EPSS indicates the probability of exploitation is less than 1%, and the vulnerability has not been reported in the CISA KEV catalog. The attack vector is unauthenticated and remote, requiring only the ability to send an RTMP publish request. Because it is a blind injection, an attacker can perform a time\u2011based extraction without immediate feedback, making automated exploitation more tedious but still feasible for a determined adversary. Users with remote RTMP access are therefore at a significant risk until the patch is applied."}}}}, "created": "2026-03-24T10:33:44.964116+00:00", "updated": "2026-03-25T21:28:00.546833+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}