CVE-2026-33651 is an SQL injection vulnerability classified under CWE-89 affecting WWBN's open-source video platform, AVideo, in versions up to and including 26.0. The vulnerability exists in the remindMe.json.php endpoint, where the 'live_schedule_id' parameter from $_REQUEST is passed through multiple functions without proper sanitization. While intermediate functions such as new Live_schedule() and getUsers_idOrCompany() internally apply intval() to local copies of the parameter within ObjectYPT::getFromDb(), the original input remains unsanitized. This unsanitized input is then directly concatenated into a SQL LIKE clause within Scheduler_commands::getAllActiveOrToRepeat(), enabling an authenticated attacker to conduct time-based blind SQL injection attacks. These attacks allow extraction of arbitrary database contents by exploiting the SQL query logic. The vulnerability does not require user interaction beyond authentication and has a CVSS 3.1 base score of 8.1, indicating high severity with network attack vector, low attack complexity, and high impact on confidentiality and integrity. The availability impact is rated none. Although no known exploits are currently reported in the wild, a patch has been committed (commit 75d45780728294ededa1e3f842f95295d3e7d144) to remediate the issue by properly sanitizing inputs before SQL query construction.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the AVideo platform's database. Attackers with valid authentication can exploit the SQL injection flaw to extract user information, video metadata, schedules, and potentially other confidential data. This compromises confidentiality and integrity of the system's data. Since the vulnerability allows arbitrary database content extraction, it could lead to privacy violations, intellectual property theft, and further escalation of attacks if sensitive credentials or configuration data are exposed. Although availability is not directly impacted, the breach of trust and data loss can severely damage organizational reputation and user trust. Organizations relying on AVideo for video hosting and streaming services are at risk of data breaches, regulatory non-compliance, and potential legal consequences. The ease of exploitation due to low attack complexity and network accessibility increases the urgency of remediation.

Organizations should immediately upgrade AVideo installations to versions beyond 26.0 where the patch has been applied. If upgrading is not immediately feasible, implement input validation and sanitization at the application level for the 'live_schedule_id' parameter, ensuring that only strictly validated integer values are accepted. Employ parameterized queries or prepared statements in all database interactions to eliminate direct concatenation of user inputs into SQL commands. Conduct a thorough code audit of all endpoints handling user input to identify and remediate similar injection risks. Restrict access to the remindMe.json.php endpoint to trusted users and monitor logs for suspicious activity indicative of SQL injection attempts. Additionally, implement database activity monitoring and anomaly detection to identify potential exploitation attempts. Regularly update and patch all components of the AVideo platform and maintain a robust incident response plan to address any detected breaches promptly.