CVE-2026-33485
Published: 23 March 2026
Summary
CVE-2026-33485 is a high-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents time-based blind SQL injection by requiring validation and sanitization of the unauthenticated $_POST['name'] parameter before interpolation into SQL queries in LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists().
Requires identification and authentication for non-organizational users, blocking unauthenticated remote attackers from exploiting the publicly accessible RTMP on_publish callback.
Mandates timely remediation of the specific SQL injection flaw via the patch in commit af59eade82de645b20183cc3d74467a7eac76549 to prevent data exfiltration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated blind SQL injection in a publicly reachable web endpoint (on_publish.php) directly enables T1190; the same flaw permits arbitrary read access to the backend database, directly enabling T1213.006.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations —…
more
`LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch.
Deeper analysisAI
CVE-2026-33485 is a time-based blind SQL injection vulnerability in WWBN AVideo, an open source video platform. It affects versions up to and including 26.0. The vulnerability occurs in the RTMP on_publish callback at plugin/Live/on_publish.php, which is accessible without authentication. The $_POST['name'] parameter, used as the stream key, is interpolated directly into SQL queries within LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() without parameterized binding or escaping.
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapping to CWE-89. Exploitation enables extraction of all database contents, including sensitive data such as user password hashes and email addresses.
Mitigation is provided in commit af59eade82de645b20183cc3d74467a7eac76549. Additional details are documented in the GitHub security advisory at GHSA-8p58-35c3-ccxx.
Details
- CWE(s)