CVE-2026-33770 is an SQL Injection vulnerability identified in the open-source video platform WWBN AVideo, affecting all versions up to and including 26.0. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within the static method fixCleanTitle() located in objects/category.php. Specifically, the method constructs a SQL SELECT query by directly embedding the variables $clean_title and $id into the query string without employing prepared statements or parameterized queries. This insecure coding practice allows an attacker who can trigger category creation or renaming with a crafted title value to inject arbitrary SQL commands. The injection can lead to unauthorized data access, data manipulation, or potentially full compromise of the backend database. The vulnerability has a CVSS 4.0 base score of 7.1, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and high impact on confidentiality (VC:H). The vulnerability does not affect integrity or availability directly but poses a significant risk to data confidentiality. A patch has been committed (commit 994cc2b3d802b819e07e6088338e8bf4e484aae4) that addresses this issue by presumably implementing proper input sanitization or prepared statements. No known exploits have been reported in the wild as of the publication date. The vulnerability affects all installations of WWBN AVideo up to version 26.0, which is an open-source platform used globally for video content management and streaming.

The SQL Injection vulnerability in WWBN AVideo can have severe consequences for organizations using the affected versions. Exploitation could allow attackers to execute arbitrary SQL commands on the backend database, leading to unauthorized disclosure of sensitive data such as user credentials, video metadata, or other private information stored in the database. Attackers could also manipulate or delete data, potentially disrupting service integrity. In multi-tenant or shared hosting environments, this could lead to cross-tenant data leakage. Since the vulnerability requires only low privileges and no user interaction, it lowers the barrier for exploitation by insiders or attackers who have limited access. The compromise of the database could also facilitate further attacks, including privilege escalation or lateral movement within the network. For organizations relying on AVideo for content delivery, this could result in reputational damage, regulatory non-compliance, and financial losses. The absence of known exploits in the wild provides a window for remediation, but the high severity score underscores the urgency of patching.

Organizations should immediately upgrade to a patched version of WWBN AVideo that includes the fix for CVE-2026-33770. If upgrading is not immediately possible, administrators should implement input validation and sanitization on category titles and IDs to prevent injection of malicious SQL code. Employing Web Application Firewalls (WAFs) with rules targeting SQL Injection patterns can provide temporary protection. Restricting privileges for users who can create or rename categories reduces the risk surface. Database accounts used by the application should have the least privileges necessary to limit the impact of a successful injection. Regularly auditing logs for suspicious SQL errors or unusual database activity can help detect exploitation attempts. Additionally, code reviews and static analysis should be performed on customizations or plugins to ensure no similar injection flaws exist. Finally, organizations should monitor WWBN and security advisories for updates or exploit reports related to this vulnerability.