CVE-2026-33352
Published: 23 March 2026
Summary
CVE-2026-33352 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33352 is an unauthenticated SQL injection vulnerability in WWBN AVideo, an open source video platform. The issue affects versions prior to 26.0 and resides in the `getAllCategories()` method of `objects/category.php`. The `doNotShowCats` request parameter undergoes insufficient sanitization, limited to stripping single-quote characters via `str_replace("'", '', ...)`, which can be easily bypassed using a backslash escape to manipulate SQL string boundaries. This parameter evades the application's global input filters in `objects/security.php`, enabling direct SQL injection.
Remote attackers require no privileges (PR:N), can exploit over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as reflected in the CVSS v3.1 base score of 9.8 (C:H/I:H/A:H). Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data exfiltration, modification, or deletion.
The WWBN AVideo security advisory (GHSA-mcj5-6qr4-95fj) and associated patch commit confirm that upgrading to version 26.0 resolves the vulnerability by addressing the sanitization flaw in the affected method.
This issue is linked to CWE-89 (SQL Injection) with no reported real-world exploitation at publication.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20074
Vulnerability details
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this…
more
is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing web app (AV:N/PR:N) directly enables T1190; arbitrary SQL execution on backend DB enables direct collection from Databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the `doNotShowCats` parameter to block SQL injection by ensuring only properly formed data reaches the database query.
Mandates timely remediation of identified flaws, such as patching the insufficient sanitization in `objects/category.php` to version 26.0, eliminating the SQL injection vulnerability.
Boundary protection mechanisms like web application firewalls inspect and block malicious SQL injection payloads targeting the unauthenticated `getAllCategories()` endpoint.