WWBN AVideo, an open-source video platform, suffers from a critical SQL injection vulnerability identified as CVE-2026-33651. The vulnerability arises in the remindMe.json.php endpoint, where the live_schedule_id parameter from user input ($_REQUEST) is passed through several functions without proper sanitization. Specifically, the parameter eventually reaches the Scheduler_commands::getAllActiveOrToRepeat() function, which directly concatenates the input into a SQL LIKE clause, enabling injection. Although intermediate functions such as new Live_schedule() and getUsers_idOrCompany() internally apply intval() to local copies of the parameter within ObjectYPT::getFromDb(), the original tainted variable remains unchanged and unsanitized. This improper neutralization of special elements in SQL commands (CWE-89) allows any authenticated user to conduct time-based blind SQL injection attacks. Exploiting this vulnerability, an attacker can extract sensitive database information, compromising confidentiality and integrity of the system. The vulnerability does not require user interaction beyond authentication and has a CVSS 3.1 score of 8.1, indicating high severity. A patch has been committed (commit 75d45780728294ededa1e3f842f95295d3e7d144) to fix this issue by properly sanitizing the input before database queries.

The SQL injection vulnerability in WWBN AVideo can have severe consequences for organizations using affected versions. Attackers with authenticated access can exploit the flaw to perform time-based blind SQL injection, enabling them to extract arbitrary data from the backend database. This can lead to unauthorized disclosure of sensitive user information, video content metadata, credentials, or configuration data, severely impacting confidentiality. Integrity is also at risk as attackers might manipulate database queries or data if further exploited. Although availability is not directly impacted, the breach of confidentiality and integrity can lead to loss of trust, regulatory penalties, and potential lateral movement within the network. Given that AVideo is a platform for video content, organizations relying on it for media delivery, education, or corporate communications may face significant operational and reputational damage. The requirement for authentication limits exploitation to users with some level of access, but insider threats or compromised accounts increase risk. The absence of known exploits in the wild currently suggests a window for proactive mitigation.

Organizations should immediately upgrade WWBN AVideo to a version that includes the patch from commit 75d45780728294ededa1e3f842f95295d3e7d144 or later. If upgrading is not immediately possible, implement strict input validation and sanitization on the live_schedule_id parameter, ensuring it is properly escaped or parameterized before database queries. Employ prepared statements with parameterized queries to eliminate direct concatenation of user input into SQL commands. Review and audit all code paths handling user input to confirm no other unsanitized parameters exist. Limit authenticated user privileges to the minimum necessary to reduce the impact of compromised accounts. Monitor logs for unusual query patterns indicative of SQL injection attempts, especially time-based delays. Consider deploying Web Application Firewalls (WAFs) with rules targeting SQL injection signatures specific to AVideo endpoints. Conduct regular security assessments and penetration tests focusing on injection vulnerabilities. Maintain an incident response plan to quickly address any detected exploitation.