CVE-2026-33767 is an SQL Injection vulnerability identified in the open-source video platform WWBN AVideo, affecting all versions up to and including 26.0. The vulnerability arises in the getLike() method within the objects/like.php file. While the method uses a prepared statement placeholder for the users_id parameter, it directly concatenates the videos_id parameter into the SQL query string without parameterization. This improper neutralization of special elements (CWE-89) allows an attacker who can control the videos_id value—typically via crafted HTTP requests—to inject arbitrary SQL commands. This injection bypasses the partial protection provided by the prepared statement for users_id. The vulnerability does not require user interaction but does require some level of privileges (likely authenticated access). The CVSS 4.0 base score is 7.1 (high), reflecting the network attack vector, low attack complexity, no user interaction, and high impact on confidentiality. The vulnerability can lead to unauthorized data disclosure, modification, or deletion within the AVideo database, potentially compromising user data and platform integrity. Although no known exploits are currently reported in the wild, a patch has been committed (commit 0215d3c4f1ee748b8880254967b51784b8ac4080) to address this issue. Organizations running affected versions should prioritize updating to patched versions to mitigate risk.

The potential impact of CVE-2026-33767 is significant for organizations using WWBN AVideo as their video platform. Successful exploitation can lead to unauthorized access to sensitive data stored in the platform's database, including user information, video metadata, and possibly administrative data. Attackers could manipulate or delete data, undermining data integrity and availability. Given the platform's role in content delivery, such compromise could disrupt service availability or lead to reputational damage. Since the vulnerability allows injection of arbitrary SQL commands, attackers might escalate their access or pivot to other systems if database credentials or configurations are weak. The impact is magnified in environments where AVideo is integrated with other critical systems or contains sensitive user-generated content. Although exploitation requires some privileges, the low complexity and network accessibility make it a viable threat for attackers with limited access. Organizations worldwide relying on this platform for video hosting and streaming services face risks of data breaches, service disruption, and compliance violations if unpatched.

To mitigate CVE-2026-33767, organizations should immediately update WWBN AVideo to a version that includes the patch (commit 0215d3c4f1ee748b8880254967b51784b8ac4080 or later). If immediate updating is not feasible, apply manual code fixes to ensure that the videos_id parameter is properly parameterized in SQL queries, avoiding direct concatenation. Implement rigorous input validation and sanitization for all user-controllable inputs, especially those used in database queries. Employ web application firewalls (WAFs) with rules targeting SQL injection patterns to provide an additional layer of defense. Conduct thorough code reviews and security testing focusing on database interactions. Restrict database user privileges to the minimum necessary to limit the impact of any injection. Monitor logs for anomalous database queries or errors indicative of injection attempts. Finally, educate developers on secure coding practices, emphasizing the importance of prepared statements and parameterization for all dynamic SQL components.