CVE-2026-28501
CRITICALWWBN AVideo <24.0 - SQL Injection
Title source: llmDescription
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Exploits (1)
metasploit
WORKING POC
by arkmarta · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/avideo_catname_sqli.rb
Scores
CVSS v3
9.8
EPSS
0.2092
EPSS Percentile
95.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (3)
wwbn/avideo
< 24.0
wwbn/avideo
0Packagist
WWBN/AVideo
< 24.0
Published
Mar 06, 2026
Tracked Since
Mar 06, 2026