CVE-2026-28501

CRITICAL

WWBN AVideo < 24.0 - Unauthenticated SQL Injection via catName Parameter in JSON POST Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-28501. PoCs published by arkmarta, including Metasploit module auxiliary/gather/avideo_catname_sqli.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated SQL injection vulnerability in AVideo via the catName parameter in objects/videos.json.php. It uses time-based blind injection with BENCHMARK() to dump user credentials.

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Exploits (1)

metasploit WORKING POC

by arkmarta · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/avideo_catname_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated SQL injection vulnerability in AVideo via the catName parameter in objects/videos.json.php. It uses time-based blind injection with BENCHMARK() to dump user credentials.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: AVideo <= 22.0

No auth needed

Prerequisites: Target running AVideo <= 22.0 · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p

Patch x_refsource_misc

https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/WWBN/AVideo/releases/tag/24.0

Scores

CVSS v3 9.8

EPSS 0.2583

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (3)

wwbn/avideo < 24.0

wwbn/avideo 0Packagist

WWBN/AVideo < 24.0

Published Mar 06, 2026

Tracked Since Mar 06, 2026