CVE-2026-33770: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WWBN AVideo
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
AI Analysis
Technical Summary
WWBN AVideo, an open source video platform, suffers from an SQL injection vulnerability (CWE-89) in the fixCleanTitle() method of objects/category.php in versions up to 26.0. The method builds a SQL SELECT query by directly interpolating the variables $clean_title and $id into the query string without proper sanitization or use of parameterized queries. This improper neutralization of special elements in SQL commands enables attackers with the ability to create or rename categories to inject arbitrary SQL code. The vulnerability has a CVSS 4.0 base score of 7.1, indicating high severity. A patch fixing this issue is available in the referenced commit 994cc2b3d802b819e07e6088338e8bf4e484aae4.
Potential Impact
Successful exploitation allows an attacker with limited privileges (able to create or rename categories) to execute arbitrary SQL commands on the backend database. This can lead to unauthorized data access or manipulation within the AVideo platform. There are no known exploits in the wild at this time.
Mitigation Recommendations
A patch fixing this vulnerability is available as indicated by the referenced commit 994cc2b3d802b819e07e6088338e8bf4e484aae4. Users of WWBN AVideo should apply this patch or upgrade to a version that includes this fix to remediate the vulnerability. Until patched, avoid allowing untrusted users to create or rename categories with arbitrary input.
CVE-2026-33770: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo, an open source video platform, suffers from an SQL injection vulnerability (CWE-89) in the fixCleanTitle() method of objects/category.php in versions up to 26.0. The method builds a SQL SELECT query by directly interpolating the variables $clean_title and $id into the query string without proper sanitization or use of parameterized queries. This improper neutralization of special elements in SQL commands enables attackers with the ability to create or rename categories to inject arbitrary SQL code. The vulnerability has a CVSS 4.0 base score of 7.1, indicating high severity. A patch fixing this issue is available in the referenced commit 994cc2b3d802b819e07e6088338e8bf4e484aae4.
Potential Impact
Successful exploitation allows an attacker with limited privileges (able to create or rename categories) to execute arbitrary SQL commands on the backend database. This can lead to unauthorized data access or manipulation within the AVideo platform. There are no known exploits in the wild at this time.
Mitigation Recommendations
A patch fixing this vulnerability is available as indicated by the referenced commit 994cc2b3d802b819e07e6088338e8bf4e484aae4. Users of WWBN AVideo should apply this patch or upgrade to a version that includes this fix to remediate the vulnerability. Until patched, avoid allowing untrusted users to create or rename categories with arbitrary input.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T18:30:14.128Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c6c6913c064ed76fdc2961
Added to database: 3/27/2026, 6:04:01 PM
Last enriched: 4/4/2026, 10:56:26 AM
Last updated: 5/11/2026, 12:45:31 PM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.