CVE-2026-34374

CriticalPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 14.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34374 is a critical-severity SQL Injection (CWE-89) vulnerability in Wwbn Avideo. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SQL injection by validating and sanitizing the user-supplied stream key before interpolation into SQL queries during RTMP publish authentication.

SI-2 Flaw Remediation good match

prevent

Remediates the specific SQL injection flaw in Live_schedule::keyExists() by identifying, testing, and installing software updates or fixes for AVideo versions up to 26.0.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Conducts vulnerability scans to identify SQL injection issues like CVE-2026-34374 in the stream key lookup path of the AVideo platform.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing AVideo web app (RTMP auth path) directly enables T1190 remote exploitation; resulting DB read/write access directly facilitates T1213.006 data collection from databases.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a…

fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.

Deeper analysisAI

CVE-2026-34374 is a SQL injection vulnerability in WWBN AVideo, an open source video platform, affecting versions up to and including 26.0. The issue resides in the `Live_schedule::keyExists()` method, which constructs a SQL query by directly interpolating a user-supplied stream key into the query string without parameterization. This method serves as a fallback invoked by `LiveTransmition::keyExists()` when an initial parameterized lookup yields no results, effectively bypassing the protection of the primary query. The vulnerability specifically targets the stream key lookup path during RTMP publish authentication and is distinct from GHSA-pvw4-p2jm-chjm, which addresses a separate SQL injection in the reminder function via the `live_schedule_id` parameter. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-89.

Unauthenticated attackers with network access can exploit this vulnerability by supplying a malicious stream key during RTMP publish authentication attempts. The low attack complexity and lack of required privileges or user interaction enable remote exploitation over the network. Successful injection allows attackers to achieve high-impact confidentiality and integrity violations, such as extracting sensitive data from the database or modifying records, without affecting availability.

The GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88 provides details on the issue. As of the CVE publication date, no patched versions of AVideo are available, leaving affected installations without an official fix. Security practitioners should monitor for updates from the AVideo project and consider implementing network-level restrictions on RTMP endpoints or input validation as interim mitigations.

Details

CWE(s): CWE-89

Affected Products

wwbn

avideo

≤ 26.0

CVEs Like This One

CVE-2026-33723Same product: Wwbn Avideo

CVE-2026-33485Same product: Wwbn Avideo

CVE-2026-33651Same product: Wwbn Avideo

CVE-2026-33352Same product: Wwbn Avideo

CVE-2026-28501Same product: Wwbn Avideo

CVE-2026-33770Same product: Wwbn Avideo

CVE-2026-33767Same product: Wwbn Avideo

CVE-2026-33292Same product: Wwbn Avideo

CVE-2026-33716Same product: Wwbn Avideo

CVE-2020-37172Same product: Wwbn Avideo

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88
Exploit, Vendor Advisory · security-advisories@github.com