CVE-2026-33651
Published: 23 March 2026
Summary
CVE-2026-33651 is a high-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and error handling of untrusted inputs like live_schedule_id at application interfaces to prevent direct concatenation into SQL LIKE clauses, blocking SQL injection exploits.
Mandates timely flaw remediation by applying the vendor patch (commit 75d45780728294ededa1e3f842f95295d3e7d144) that sanitizes the tainted parameter and eliminates the vulnerability.
Enforces input restrictions such as type and format constraints on parameters like live_schedule_id, preventing malicious payloads from being processed in SQL queries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing AVideo web endpoint directly enables T1190 exploitation for initial access and T1213.006 for arbitrary database data collection/exfiltration.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate…
more
functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch.
Deeper analysisAI
CVE-2026-33651 is a SQL injection vulnerability (CWE-89) in WWBN AVideo, an open source video platform, affecting versions up to and including 26.0. The flaw occurs in the `remindMe.json.php` endpoint, where the `$_REQUEST['live_schedule_id']` parameter is passed through multiple functions without sanitization. Although intermediate functions like `new Live_schedule()` and `getUsers_idOrCompany()` apply `intval()` to local copies within `ObjectYPT::getFromDb()`, the original tainted variable remains unchanged and is directly concatenated into a SQL `LIKE` clause in `Scheduler_commands::getAllActiveOrToRepeat()`.
Any authenticated user can exploit this vulnerability remotely with low complexity and no user interaction. Attackers can perform time-based blind SQL injection by crafting malicious input for the `live_schedule_id` parameter, enabling extraction of arbitrary database contents. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity.
The vulnerability is addressed in commit 75d45780728294ededa1e3f842f95295d3e7d144 of the AVideo repository. Additional details on the issue and remediation are provided in the GitHub security advisory at GHSA-pvw4-p2jm-chjm.
Details
- CWE(s)