WWBN AVideo is an open-source video platform that, in versions up to and including 26.0, contains a critical SQL injection vulnerability identified as CVE-2026-33485. The vulnerability resides in the RTMP on_publish callback handler located at plugin/Live/on_publish.php, which is exposed without any authentication requirements. Specifically, the $_POST['name'] parameter, representing the stream key, is directly embedded into SQL queries within the LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() functions without using parameterized queries or escaping special characters. This improper neutralization of special elements (CWE-89) allows an unauthenticated attacker to conduct time-based blind SQL injection attacks. Such attacks can be used to systematically extract the entire database contents, including sensitive information like user password hashes, email addresses, and other confidential data. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical nature of the data at risk make this a significant threat. A patch has been committed (commit af59eade82de645b20183cc3d74467a7eac76549) that addresses the issue by implementing proper input validation and parameterized SQL queries.

The impact of this vulnerability is substantial for organizations using WWBN AVideo versions 26.0 and earlier. An attacker can remotely exploit the flaw without authentication or user interaction, enabling them to extract sensitive data such as user credentials and personal information. This can lead to account compromise, unauthorized access, and potential lateral movement within affected environments. The exposure of password hashes increases the risk of credential stuffing attacks on other systems if users reuse passwords. Additionally, the breach of email addresses and other personal data can lead to phishing campaigns and reputational damage. Since the vulnerability affects the core live streaming functionality, exploitation could disrupt service trust and user confidence. Organizations hosting video content, especially those handling sensitive or proprietary media, are at risk of data leakage and compliance violations. The lack of known exploits in the wild suggests a window for proactive remediation before widespread attacks occur.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit af59eade82de645b20183cc3d74467a7eac76549 or later. If upgrading is not immediately feasible, implement the following mitigations: 1) Restrict network access to the RTMP on_publish endpoint using firewall rules or network segmentation to limit exposure to trusted sources only. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'name' parameter. 3) Monitor logs for unusual or repeated requests to the on_publish.php endpoint, especially those with suspicious POST data. 4) Conduct regular database audits and review user account activity for signs of compromise. 5) Enforce strong password policies and consider multi-factor authentication for user accounts to mitigate risks from credential exposure. 6) Educate development teams on secure coding practices, emphasizing the use of parameterized queries and input validation to prevent similar vulnerabilities. 7) Perform penetration testing and code reviews on custom plugins or modifications to ensure no additional injection points exist.