CVE-2026-28501
Published: 06 March 2026
Summary
CVE-2026-28501 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
WWBN AVideo is an open source video platform that contains an unauthenticated SQL injection vulnerability in versions prior to 24.0. The flaw resides in the objects/videos.json.php and objects/video.php components, where the catName parameter supplied in a JSON-formatted POST request body is not properly sanitized. Because the application parses and merges JSON input into $_REQUEST after global security checks have already run, attackers can bypass existing protections and inject arbitrary SQL. The issue is tracked as CWE-89 and carries a CVSS 3.1 score of 9.8.
Remote attackers with no credentials or user interaction can exploit the vulnerability over the network to read, modify, or delete data and potentially take full control of the affected database and application. Successful exploitation yields complete confidentiality, integrity, and availability impact.
The vulnerability has been addressed in AVideo version 24.0. The project published a security advisory, a corresponding patch commit, and the 24.0 release that remediate the input-handling flaw in the affected endpoints. The associated EPSS score has remained essentially flat near 0.26 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9970
Vulnerability details
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via…
more
a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing web application endpoints directly enables exploitation of public-facing applications (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input parameters (including JSON POST bodies) before they reach SQL processing, blocking the catName injection.
Mandates timely remediation of known flaws such as the unsanitized input path in videos.json.php/video.php, which was corrected in version 24.0.
Enables monitoring and alerting on anomalous database queries or error patterns that would result from successful exploitation of the SQL injection.