CVE-2026-33723
Published: 23 March 2026
Summary
CVE-2026-33723 is a high-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like the user_id parameter from POST data before concatenation into SQL queries, directly preventing SQL injection exploitation.
Mandates timely identification, reporting, and patching of flaws like this SQL injection vulnerability, as evidenced by the available commit patch.
Enables vulnerability scanning to identify SQL injection flaws in the Subscribe::save() method, facilitating proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQLi in public web app (Subscribe::save) directly enables remote exploitation of the application (T1190) and unauthorized extraction of data/credentials from backend database tables (T1213.006).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']`…
more
in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.
Deeper analysisAI
CVE-2026-33723 is a SQL injection vulnerability (CWE-89) in the open-source WWBN AVideo video platform, affecting versions up to and including 26.0. The issue resides in the `Subscribe::save()` method within `objects/subscribe.php`, which directly concatenates the `$this->users_id` property into an INSERT SQL query without sanitization or parameterized binding. This property is sourced from `$_POST['user_id']` in `subscribe.json.php` and `subscribeNotify.json.php`, enabling classic SQL injection.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). By manipulating the `user_id` parameter, they can inject arbitrary SQL during subscription operations, extracting sensitive data from any database table, such as password hashes, API keys, and encryption salts.
The GitHub security advisory (GHSA-ffr8-fxhv-fv8h) and patch commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c detail mitigation by properly sanitizing or binding the `users_id` value in the SQL query, recommending immediate upgrades to patched versions for affected AVideo installations.
Details
- CWE(s)