CVE-2026-28501 is a critical SQL Injection vulnerability identified in the open-source video platform WWBN AVideo, specifically affecting versions prior to 24.0. The vulnerability exists in the objects/videos.json.php and objects/video.php components, where the application fails to properly sanitize the 'catName' parameter when it is provided via a JSON-formatted POST request body. The root cause is that JSON input is parsed and merged into the PHP $_REQUEST superglobal after global security checks have been executed. This sequence allows maliciously crafted SQL injection payloads to bypass existing sanitization and validation mechanisms. Because the vulnerability is exploitable without authentication (AV:N/PR:N/UI:N), an attacker can remotely inject arbitrary SQL commands, potentially leading to unauthorized data disclosure, data modification, or deletion, and even full compromise of the backend database. The vulnerability impacts confidentiality, integrity, and availability of data stored by the application. The issue has been addressed and patched in version 24.0 of AVideo. Although no known exploits are currently reported in the wild, the critical CVSS score of 9.8 reflects the high risk posed by this vulnerability.

The SQL Injection vulnerability in WWBN AVideo can have severe consequences for organizations using affected versions. An unauthenticated attacker can execute arbitrary SQL commands on the backend database, leading to unauthorized access to sensitive user data, including video metadata and potentially user credentials if stored in the database. Attackers could modify or delete video content records, disrupt service availability, or escalate attacks to compromise the underlying server infrastructure. This can result in data breaches, loss of user trust, regulatory penalties, and operational downtime. Given that AVideo is an open-source platform used globally for video hosting and streaming, organizations relying on it for content delivery or internal video management are at significant risk. The ease of exploitation and lack of authentication requirements increase the likelihood of attacks, especially in environments where the platform is exposed to the internet without additional protective controls.

To mitigate this vulnerability, organizations should immediately upgrade WWBN AVideo to version 24.0 or later, where the issue is patched. Until the upgrade can be performed, implement web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'catName' parameter in JSON POST requests. Review and harden input validation mechanisms to ensure JSON inputs are sanitized before merging into $_REQUEST or similar global variables. Disable or restrict access to the affected endpoints (objects/videos.json.php and objects/video.php) from untrusted networks if possible. Conduct thorough code audits to verify no other parameters or endpoints are vulnerable to similar injection flaws. Additionally, monitor application logs for suspicious SQL syntax or unexpected database errors that could indicate exploitation attempts. Employ database least privilege principles to limit the impact of any successful injection.