The vulnerability identified as CVE-2026-33723 affects WWBN AVideo, an open-source video platform, specifically versions up to and including 26.0. The root cause is improper neutralization of special elements used in an SQL command (CWE-89), commonly known as SQL Injection. Within the Subscribe::save() method located in objects/subscribe.php, the property $this->users_id is directly concatenated into an SQL INSERT query string without any sanitization or use of parameterized queries. This property is derived from user input ($_POST['user_id']) received in subscribe.json.php and subscribeNotify.json.php. Because the input is not validated or escaped, an authenticated attacker can craft malicious input to inject arbitrary SQL commands. This can lead to unauthorized data disclosure, including sensitive information such as password hashes, API keys, and encryption salts stored in the database. The vulnerability requires the attacker to be authenticated but does not require any additional user interaction. The CVSS v3.1 base score is 7.1, reflecting high severity due to the ease of exploitation and the potential for significant data confidentiality breaches. The vendor has addressed this issue in a commit identified by hash 36dfae22059fbd66fd34bbc5568a838fc0efd66c, which presumably implements proper input validation or parameterized queries to prevent injection. No known exploits are currently reported in the wild, but the vulnerability poses a serious risk to affected deployments.

The primary impact of CVE-2026-33723 is on the confidentiality of data stored within the AVideo platform's backend database. An attacker who successfully exploits this vulnerability can extract sensitive information such as password hashes, API keys, and encryption salts, which can lead to further compromise of user accounts and backend systems. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive credentials can facilitate privilege escalation, unauthorized access to other systems, and lateral movement within an organization’s network. For organizations relying on AVideo for video content delivery, this could result in data breaches, loss of user trust, regulatory penalties, and reputational damage. Since the vulnerability requires authentication, the risk is somewhat mitigated by access controls, but insider threats or compromised accounts could still exploit it. The lack of user interaction needed means exploitation can be automated once authenticated access is obtained. Given the nature of the data exposed, the impact is significant for any organization handling sensitive or regulated information through AVideo.

1. Immediately apply the patch provided by the vendor in commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c or upgrade to a version beyond 26.0 where the vulnerability is fixed. 2. Implement strict input validation and use parameterized queries or prepared statements throughout the application to prevent SQL injection. 3. Enforce the principle of least privilege on user accounts, ensuring that only trusted and necessary users have authenticated access to the subscription functionality. 4. Monitor database and application logs for unusual query patterns or access attempts that could indicate exploitation attempts. 5. Conduct a thorough audit of database contents for any signs of data exfiltration or compromise, especially focusing on sensitive fields like password hashes and API keys. 6. Consider implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the affected endpoints. 7. Educate developers and administrators on secure coding practices and the importance of sanitizing all user inputs. 8. Regularly review and update security policies to include vulnerability management and timely patch application for open-source components like AVideo.