Cyber Resilience

CVE-2026-33352

CriticalPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33352 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33352 is an unauthenticated SQL injection vulnerability in WWBN AVideo, an open source video platform. The issue affects versions prior to 26.0 and resides in the `getAllCategories()` method of `objects/category.php`. The `doNotShowCats` request parameter undergoes insufficient sanitization, limited to stripping single-quote characters via `str_replace("'", '', ...)`, which can be easily bypassed using a backslash escape to manipulate SQL string boundaries. This parameter evades the application's global input filters in `objects/security.php`, enabling direct SQL injection.

Remote attackers require no privileges (PR:N), can exploit over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as reflected in the CVSS v3.1 base score of 9.8 (C:H/I:H/A:H). Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data exfiltration, modification, or deletion.

The WWBN AVideo security advisory (GHSA-mcj5-6qr4-95fj) and associated patch commit confirm that upgrading to version 26.0 resolves the vulnerability by addressing the sanitization flaw in the affected method.

This issue is linked to CWE-89 (SQL Injection) with no reported real-world exploitation at publication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this…

more

is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Unauthenticated remote SQL injection in public-facing web app (AV:N/PR:N) directly enables T1190; arbitrary SQL execution on backend DB enables direct collection from Databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34374Same product: Wwbn Avideo
CVE-2026-33723Same product: Wwbn Avideo
CVE-2026-33651Same product: Wwbn Avideo
CVE-2026-33485Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-28501Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2020-37172Same product: Wwbn Avideo
CVE-2026-33716Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like the `doNotShowCats` parameter to block SQL injection by ensuring only properly formed data reaches the database query.

prevent

Mandates timely remediation of identified flaws, such as patching the insufficient sanitization in `objects/category.php` to version 26.0, eliminating the SQL injection vulnerability.

prevent

Boundary protection mechanisms like web application firewalls inspect and block malicious SQL injection payloads targeting the unauthenticated `getAllCategories()` endpoint.

References