CVE-2026-33352 is a critical SQL injection vulnerability identified in the open-source video platform WWBN AVideo, affecting all versions prior to 26.0. The vulnerability resides in the getAllCategories() method of the objects/category.php file, specifically in the handling of the doNotShowCats request parameter. The application attempts to sanitize this parameter by stripping single-quote characters using str_replace("'", '', ...), but this approach is insufficient and can be trivially bypassed using a backslash escape technique. This bypass allows attackers to manipulate SQL query boundaries and inject arbitrary SQL commands. Notably, the parameter is not subjected to the application's global input filtering mechanisms defined in objects/security.php, increasing the risk of exploitation. The vulnerability requires no authentication or user interaction, making it highly accessible to remote attackers. Exploitation can lead to full compromise of the backend database, including unauthorized data access, data manipulation, or deletion, severely impacting confidentiality, integrity, and availability. The issue was addressed in WWBN AVideo version 26.0 by implementing proper input validation and query parameterization. Despite no known exploits in the wild at the time of publication, the critical CVSS score of 9.8 underscores the urgency for affected users to update their installations promptly.

The impact of CVE-2026-33352 is severe, as it allows unauthenticated remote attackers to execute arbitrary SQL commands on the backend database of WWBN AVideo installations. This can lead to complete compromise of the database, including unauthorized disclosure of sensitive user data, modification or deletion of video content metadata, user credentials, or other critical information. The integrity of the platform can be undermined by attackers injecting malicious data or altering existing records. Availability may also be affected if attackers delete or corrupt essential database tables, potentially causing service outages. Organizations relying on WWBN AVideo for video content delivery, especially those hosting sensitive or proprietary content, face significant risks including data breaches, reputational damage, regulatory penalties, and operational disruption. Given the ease of exploitation without authentication or user interaction, the threat is highly scalable and can be exploited en masse by automated tools if weaponized.

1. Immediate upgrade to WWBN AVideo version 26.0 or later, which contains the official patch addressing this vulnerability. 2. Implement strict input validation and sanitization for all user-supplied parameters, ensuring that special characters are properly escaped or handled using parameterized queries (prepared statements) to prevent SQL injection. 3. Conduct a thorough code review of all database interaction points to verify that global input filters are consistently applied and no parameters bypass these controls. 4. Employ web application firewalls (WAFs) with SQL injection detection and prevention rules tailored to the application’s traffic patterns. 5. Monitor database logs and application logs for suspicious queries or anomalies indicative of injection attempts. 6. Educate developers on secure coding practices, emphasizing the dangers of improper input sanitization and the importance of using parameterized queries. 7. For existing deployments where immediate upgrade is not feasible, consider temporary mitigations such as disabling the vulnerable functionality or restricting access to trusted IP ranges until patching can be performed.