Cyber Resilience

CVE-2026-28501

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0151 71.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28501 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

WWBN AVideo is an open source video platform that contains an unauthenticated SQL injection vulnerability in versions prior to 24.0. The flaw resides in the objects/videos.json.php and objects/video.php components, where the catName parameter supplied in a JSON-formatted POST request body is not properly sanitized. Because the application parses and merges JSON input into $_REQUEST after global security checks have already run, attackers can bypass existing protections and inject arbitrary SQL. The issue is tracked as CWE-89 and carries a CVSS 3.1 score of 9.8.

Remote attackers with no credentials or user interaction can exploit the vulnerability over the network to read, modify, or delete data and potentially take full control of the affected database and application. Successful exploitation yields complete confidentiality, integrity, and availability impact.

The vulnerability has been addressed in AVideo version 24.0. The project published a security advisory, a corresponding patch commit, and the 24.0 release that remediate the input-handling flaw in the affected endpoints. The associated EPSS score has remained essentially flat near 0.26 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via…

more

a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated SQL injection in public-facing web application endpoints directly enables exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-34374Same product: Wwbn Avideo
CVE-2026-33723Same product: Wwbn Avideo
CVE-2026-33352Same product: Wwbn Avideo
CVE-2026-33651Same product: Wwbn Avideo
CVE-2026-33485Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2020-37172Same product: Wwbn Avideo
CVE-2026-33716Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input parameters (including JSON POST bodies) before they reach SQL processing, blocking the catName injection.

recover

Mandates timely remediation of known flaws such as the unsanitized input path in videos.json.php/video.php, which was corrected in version 24.0.

detect

Enables monitoring and alerting on anomalous database queries or error patterns that would result from successful exploitation of the SQL injection.

References