CVE-2026-33767
Published: 27 March 2026
Summary
CVE-2026-33767 is a high-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs like videos_id to prevent SQL injection attacks by ensuring inputs conform to expected formats and rejecting malicious payloads.
SI-2 mandates timely identification, reporting, and remediation of flaws such as this SQL injection vulnerability through patching as provided in the referenced commit.
RA-5 requires regular vulnerability scanning that would identify the SQL injection flaw in the getLike() method, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (AVideo) is directly exploitable over the network by low-priv authenticated users, matching T1190 Exploit Public-Facing Application as the primary technique enabled by the flaw.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string…
more
without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
Deeper analysisAI
CVE-2026-33767 is a SQL injection vulnerability (CWE-89) in WWBN AVideo, an open source video platform. It affects versions up to and including 26.0, specifically in the `getLike()` method of `objects/like.php`. The method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization, allowing attackers who control the `videos_id` value to inject arbitrary SQL and bypass the partial prepared-statement protection.
The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L) by an authenticated user with low privileges (PR:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8. Attackers can craft requests to manipulate `videos_id` and execute malicious SQL queries.
Mitigation is provided in commit 0215d3c4f1ee748b8880254967b51784b8ac4080. Further details are available in the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc and the patch commit at https://github.com/WWBN/AVideo/commit/0215d3c4f1ee748b8880254967b51784b8ac4080.
Details
- CWE(s)