CVE-2026-33352 is a critical SQL injection vulnerability affecting WWBN AVideo, an open-source video platform, in versions prior to 26.0. The vulnerability resides in the getAllCategories() method of the objects/category.php file, specifically in the handling of the doNotShowCats request parameter. The application attempts to sanitize this parameter by stripping single-quote characters using str_replace("'", '', ...), but this approach is insufficient and can be trivially bypassed using a backslash escape technique to manipulate SQL string boundaries. Notably, this parameter is not subjected to the application's global input filters defined in objects/security.php, leaving it vulnerable to injection attacks. An unauthenticated attacker can exploit this flaw remotely without any user interaction, injecting malicious SQL commands that can lead to unauthorized data access, modification, or deletion. The vulnerability impacts confidentiality, integrity, and availability of the backend database. WWBN addressed this issue in version 26.0 by implementing proper input validation and sanitization. The CVSS v3.1 score of 9.8 reflects the critical nature of this vulnerability, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits have been reported yet, but the straightforward bypass technique and lack of authentication make this a high-risk vulnerability for affected deployments.

The impact of CVE-2026-33352 is severe for organizations using vulnerable versions of WWBN AVideo. Exploitation allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database, potentially leading to full compromise of stored data. This includes unauthorized disclosure of sensitive user information, modification or deletion of video content metadata, and disruption of service availability through destructive queries. Given that AVideo is a video platform, compromised data integrity could undermine content trustworthiness, while confidentiality breaches could expose user identities and viewing habits. The availability impact could result in denial of service, affecting business continuity and user experience. Organizations relying on AVideo for content delivery or user engagement may face reputational damage, regulatory penalties for data breaches, and operational disruptions. The ease of exploitation and critical severity score underscore the urgent need for remediation to prevent potential large-scale attacks.

To mitigate CVE-2026-33352, organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, apply strict input validation and sanitization on the doNotShowCats parameter, ensuring that all special characters are properly escaped or parameterized queries are used to prevent SQL injection. Employ prepared statements with bound parameters for all database queries involving user input. Review and enforce global input filtering mechanisms to cover all parameters, including those previously excluded like doNotShowCats. Implement Web Application Firewalls (WAFs) with SQL injection detection rules tailored to catch backslash escape bypass techniques. Conduct thorough code audits to identify and remediate similar injection points. Monitor application logs for suspicious query patterns indicative of injection attempts. Finally, educate developers on secure coding practices to avoid improper input sanitization and ensure comprehensive security testing before deployment.