CVE-2026-33723 identifies a SQL Injection vulnerability in the open-source video platform WWBN AVideo, affecting all versions up to and including 26.0. The root cause lies in the Subscribe::save() method within the objects/subscribe.php file, where the $this->users_id property is directly concatenated into an SQL INSERT query without any input sanitization or use of parameterized queries. This property is sourced from user-controlled input ($_POST['user_id']) in subscribe.json.php and subscribeNotify.json.php. Because the input is not neutralized, an authenticated attacker can inject malicious SQL code, enabling unauthorized data extraction from any database table. This includes highly sensitive information such as password hashes, API keys, and encryption salts, which could facilitate further compromise. The vulnerability is exploitable remotely over the network with low attack complexity, requiring only authenticated access and no additional user interaction. The scope is limited to installations running vulnerable versions of AVideo. A patch has been committed (commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c) that addresses the issue by implementing proper input validation and parameterized queries. The CVSS v3.1 base score is 7.1, reflecting high severity due to the potential confidentiality impact and ease of exploitation with authentication.

The primary impact of this vulnerability is a severe breach of confidentiality, as attackers can extract sensitive data including password hashes, API keys, and encryption salts from the backend database. This can lead to account takeovers, unauthorized access to other integrated systems, and further lateral movement within the affected environment. While the integrity impact is limited to potential unauthorized data insertion or modification via SQL injection, the vulnerability does not affect system availability. Organizations relying on WWBN AVideo for video hosting or streaming services risk significant data exposure and reputational damage if exploited. The requirement for authentication limits the attack surface to users with valid credentials, but insider threats or compromised accounts can still leverage this flaw. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure and availability of a patch increase the urgency for remediation to prevent future exploitation.

Organizations should immediately upgrade WWBN AVideo installations to versions beyond 26.0 where the patch commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c has been applied. If upgrading is not immediately possible, implement strict input validation and sanitization on the user_id parameter at the web application firewall (WAF) or application layer to block malicious SQL payloads. Employ parameterized queries or prepared statements in custom code if modifications are made. Restrict authenticated user privileges to the minimum necessary to reduce the risk of exploitation by compromised accounts. Monitor logs for unusual database queries or unexpected access patterns related to subscription functionality. Conduct regular security audits and penetration tests focusing on injection flaws. Additionally, enforce multi-factor authentication (MFA) to reduce the risk of account compromise that could lead to exploitation of this vulnerability.