CVE-2026-33352
Published: 23 March 2026
Summary
CVE-2026-33352 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs like the `doNotShowCats` parameter to block SQL injection by ensuring only properly formed data reaches the database query.
Mandates timely remediation of identified flaws, such as patching the insufficient sanitization in `objects/category.php` to version 26.0, eliminating the SQL injection vulnerability.
Boundary protection mechanisms like web application firewalls inspect and block malicious SQL injection payloads targeting the unauthenticated `getAllCategories()` endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing web app (AV:N/PR:N) directly enables T1190; arbitrary SQL execution on backend DB enables direct collection from Databases (T1213.006).
NVD Description
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this…
more
is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
Deeper analysisAI
CVE-2026-33352 is an unauthenticated SQL injection vulnerability in WWBN AVideo, an open source video platform. The issue affects versions prior to 26.0 and resides in the `getAllCategories()` method of `objects/category.php`. The `doNotShowCats` request parameter undergoes insufficient sanitization, limited to stripping single-quote characters via `str_replace("'", '', ...)`, which can be easily bypassed using a backslash escape to manipulate SQL string boundaries. This parameter evades the application's global input filters in `objects/security.php`, enabling direct SQL injection.
Remote attackers require no privileges (PR:N), can exploit over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as reflected in the CVSS v3.1 base score of 9.8 (C:H/I:H/A:H). Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data exfiltration, modification, or deletion.
The WWBN AVideo security advisory (GHSA-mcj5-6qr4-95fj) and associated patch commit confirm that upgrading to version 26.0 resolves the vulnerability by addressing the sanitization flaw in the affected method.
This issue is linked to CWE-89 (SQL Injection) with no reported real-world exploitation at publication.
Details
- CWE(s)