CVE-2026-28501
Published: 06 March 2026
Summary
CVE-2026-28501 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validating and sanitizing untrusted inputs like the catName parameter in JSON POST requests to prevent SQL injection exploitation.
Mandates timely identification, reporting, and patching of flaws such as this SQL injection vulnerability fixed in AVideo version 24.0.
Enables deployment of web application firewalls at system boundaries to inspect and block malicious SQL payloads targeting the affected endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing web application endpoints directly enables exploitation of public-facing applications (T1190).
NVD Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via…
more
a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Deeper analysisAI
CVE-2026-28501 is an unauthenticated SQL injection vulnerability (CWE-89) affecting WWBN AVideo, an open-source video platform, in versions prior to 24.0. The flaw resides in the objects/videos.json.php and objects/video.php components, where the catName parameter supplied via a JSON-formatted POST request body is not properly sanitized. JSON input is parsed and merged into the $_REQUEST superglobal after global security checks have executed, allowing payloads to bypass existing sanitization mechanisms. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Any unauthenticated attacker with network access can exploit this vulnerability by sending a crafted JSON POST request to the affected endpoints, injecting malicious SQL via the catName parameter. Successful exploitation could enable arbitrary SQL query execution, potentially leading to full database compromise, including data exfiltration, modification, or deletion, as well as server-side availability disruption.
The issue has been addressed in AVideo version 24.0, as detailed in the project's GitHub security advisory (GHSA-pv87-r9qf-x56p), release notes, and the patching commit. Security practitioners should upgrade to version 24.0 or later and review access logs for suspicious POST requests to the affected components.
Details
- CWE(s)