The vulnerability CVE-2026-33025 is an SQL Injection flaw in WWBN's AVideo-Encoder software, specifically in versions before 8.0. It arises from improper neutralization of special elements used in SQL commands (CWE-89). The vulnerable code is located in the getSqlFromPost() method within Object.php, where the application directly incorporates user-supplied POST parameters from the 'sort' array as SQL column identifiers in an ORDER BY clause. The developer attempted to sanitize input using real_escape_string(), which only escapes characters relevant to string literals (such as quotes and null bytes) but does not sanitize or validate SQL identifiers like column names. This oversight allows an attacker to inject arbitrary SQL code by manipulating the keys of the 'sort' array, potentially altering the query logic. The vulnerability does not require user interaction but does require low privileges (PR:L), meaning an attacker with limited access can exploit it. The impact includes unauthorized data disclosure, data modification, or other database manipulations. The vendor fixed this issue in version 8.0. Until upgrading, mitigations include deploying Web Application Firewall (WAF) rules that block POST requests where any 'sort[*]' key contains characters outside the whitelist [A-Za-z0-9_], effectively preventing injection of special characters. Another workaround is restricting access to sensitive endpoints like queue.json.php and index.php to trusted IP ranges only. No public exploits have been reported yet, but the vulnerability’s CVSS 4.0 score of 8.6 (high severity) reflects its critical nature due to ease of exploitation and potential impact on confidentiality and integrity.

This vulnerability poses a significant risk to organizations using AVideo-Encoder versions prior to 8.0. Successful exploitation can lead to unauthorized access to sensitive video platform data, including user information, video metadata, and potentially administrative data. Attackers could manipulate database queries to extract confidential information, alter data integrity, or disrupt service availability. Given the nature of SQL Injection, attackers might escalate privileges or pivot to other parts of the infrastructure. Organizations relying on AVideo-Encoder for video sharing or streaming services could face data breaches, reputational damage, and regulatory penalties. The vulnerability’s ease of exploitation without user interaction and low privilege requirements increases the likelihood of attacks, especially in environments where the application is exposed to untrusted networks. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public. Therefore, organizations worldwide using affected versions should prioritize patching or applying mitigations to prevent potential compromise.

1. Upgrade to AVideo-Encoder version 8.0 or later, where the vulnerability is fully patched. 2. If immediate upgrade is not feasible, implement Web Application Firewall (WAF) rules to block POST requests where any 'sort[*]' key contains characters outside the whitelist [A-Za-z0-9_]. This prevents injection of malicious SQL identifiers. 3. Restrict access to sensitive endpoints such as queue.json.php and index.php to trusted IP ranges only, minimizing exposure to untrusted users. 4. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries, ensuring that only valid column names are accepted. 5. Monitor application logs and network traffic for unusual or suspicious POST requests targeting the 'sort' parameter. 6. Employ database least privilege principles to limit the impact of any potential SQL Injection exploitation. 7. Regularly review and update security controls and conduct penetration testing focused on injection vulnerabilities. 8. Educate development teams on secure coding practices related to SQL query construction and input handling.