WWBN AVideo, an open-source video platform, suffers from a critical SQL injection vulnerability identified as CVE-2026-33485 affecting versions up to and including 26.0. The vulnerability is located in the RTMP on_publish callback handler (plugin/Live/on_publish.php), which is accessible without any authentication, exposing an attack surface to unauthenticated remote attackers. The root cause is the unsafe handling of the $_POST['name'] parameter, representing the stream key, which is directly embedded into SQL queries within the LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() functions. These queries do not use parameterized statements or proper escaping, leading to improper neutralization of special SQL elements (CWE-89). Exploitation is possible via time-based blind SQL injection techniques, enabling attackers to extract the entire database contents, including sensitive user data such as password hashes and email addresses. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact. Although no public exploits are currently known, the presence of a patch commit (af59eade82de645b20183cc3d74467a7eac76549) indicates that the vendor has addressed the issue. The vulnerability poses a significant risk to any deployment of affected AVideo versions, especially those exposed to untrusted networks.

The impact of CVE-2026-33485 is substantial for organizations using WWBN AVideo versions up to 26.0. Successful exploitation allows unauthenticated remote attackers to perform time-based blind SQL injection attacks, leading to full disclosure of the backend database. This includes sensitive user information such as password hashes and email addresses, which can facilitate further attacks like credential stuffing, phishing, or identity theft. The vulnerability compromises confidentiality but does not affect integrity or availability directly. However, the exposure of sensitive data can lead to reputational damage, regulatory penalties (e.g., GDPR), and loss of user trust. Since the vulnerable endpoint is accessible without authentication, attackers can exploit this flaw at scale if the service is internet-facing. Organizations relying on AVideo for video streaming services, especially those handling personal or sensitive data, face a high risk of data breach and subsequent exploitation.

To mitigate CVE-2026-33485, organizations should immediately upgrade to a patched version of WWBN AVideo that includes the fix committed in af59eade82de645b20183cc3d74467a7eac76549 or later. If upgrading is not immediately possible, implement the following specific mitigations: 1) Restrict network access to the RTMP on_publish endpoint by firewalling or IP whitelisting to trusted sources only. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the vulnerable parameter. 3) Conduct code review and refactor the affected functions to use parameterized SQL queries or prepared statements to ensure proper input sanitization. 4) Monitor logs for unusual or repeated access patterns to the on_publish.php endpoint indicative of exploitation attempts. 5) Enforce strong password policies and consider additional user authentication mechanisms to reduce the impact of leaked credentials. 6) Regularly audit and update all third-party components to incorporate security patches promptly. These targeted actions go beyond generic advice by focusing on the specific vulnerable endpoint and parameter.