CVE-2026-33025
Published: 20 March 2026
Summary
CVE-2026-33025 is a high-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo-Encoder. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like $_POST['sort'] array keys to ensure they conform to safe SQL identifier syntax, directly preventing identifier-based SQL injection.
Mandates timely remediation of identified flaws such as this SQL injection vulnerability through patching to AVideo version 8.0.
Enforces restrictions on information inputs at system interfaces, such as whitelisting valid characters [A-Za-z0-9_] for sort keys to block malicious SQL identifiers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing AVideo web app (getSqlFromPost) directly maps to T1190 for exploitation by authenticated users; arbitrary SQL execution on the backend database enables T1213.006 for data collection/modification from information repositories.
NVD Description
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied,…
more
it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.
Deeper analysisAI
CVE-2026-33025 is a SQL injection vulnerability (CWE-89) in AVideo, an open-source video-sharing platform. It affects versions prior to 8.0 and is located in the getSqlFromPost() method of the Object.php file. The vulnerability arises because keys from the $_POST['sort'] array are directly used as SQL column identifiers within an ORDER BY clause. While real_escape_string() is applied to these keys, it only escapes string-context characters like quotes and null bytes, offering no protection against SQL identifier injection.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity by low-privileged users, such as authenticated account holders, without requiring user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary SQL execution to extract data, modify records, or disrupt services.
The issue was fixed in AVideo version 8.0, as detailed in the GitHub security advisory (GHSA-5qvj-5h75-27pj) and corresponding commit (d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124). Without upgrading, mitigation includes deploying a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_], or restricting access to the affected endpoints (queue.json.php and index.php) to trusted IP ranges.
Details
- CWE(s)