CVE-2026-33770
Published: 27 March 2026
Summary
CVE-2026-33770 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like crafted category titles and IDs before interpolation into SQL queries, directly preventing SQL injection exploitation.
Mandates timely identification, reporting, and correction of flaws such as the SQL injection in fixCleanTitle(), enabling application of the specific patch in commit 994cc2b3d802b819e07e6088338e8bf4e484aae4.
Boundary protection with web application firewalls or intrusion prevention systems can inspect and block SQL injection payloads in category creation or renaming requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in public-facing web app (category creation/rename endpoint) enables initial access via T1190 Exploit Public-Facing Application.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared…
more
statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
Deeper analysisAI
CVE-2026-33770 is a SQL injection vulnerability (CWE-89) in WWBN AVideo, an open source video platform. It affects versions up to and including 26.0, where the `fixCleanTitle()` static method in the `objects/category.php` file constructs a SQL SELECT query by directly interpolating the `$clean_title` and `$id` variables into the query string without prepared statements or parameterization. This allows arbitrary SQL injection when category creation or renaming is triggered with a crafted title value. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious title during category creation or renaming, the attacker can inject arbitrary SQL code into the query, potentially leading to high-impact compromise of confidentiality, integrity, and availability, such as data exfiltration, modification, or denial of service.
The GitHub security advisory (GHSA-584p-rpvq-35vf) and commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 detail the patch, which addresses the issue by properly sanitizing or parameterizing the inputs in the query construction. Security practitioners should apply this patch or upgrade to a fixed version of AVideo to mitigate the vulnerability.
Details
- CWE(s)