Plattform
php
Komponente
wwbn/avideo
Behoben in
24.0.1
21.0.1
A critical SQL Injection vulnerability has been identified in AVideo, specifically within the objects/videos.json.php and objects/video.php components. This flaw allows an unauthenticated attacker to inject malicious SQL code through the catName parameter in JSON-formatted POST requests, bypassing security checks. Affected versions are those prior to 24.0, and a fix is available in version 24.0.
The impact of this SQL Injection vulnerability is severe. An attacker can leverage it to execute arbitrary SQL queries against the database, effectively gaining complete control over the data. This includes the ability to extract the entire database contents, including sensitive information such as administrator usernames and passwords, customer data, and potentially other confidential business information. Successful exploitation could lead to data breaches, unauthorized access, and significant disruption of services. The bypass of existing sanitization mechanisms makes exploitation relatively straightforward.
This vulnerability was publicly disclosed on 2026-03-02. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released as of this writing, but the ease of exploitation suggests that it is likely to emerge. The vulnerability's unauthenticated nature further increases the risk of exploitation.
Organizations utilizing AVideo versions prior to 24.0, particularly those with publicly accessible instances or those handling sensitive user data, are at significant risk. Shared hosting environments where multiple users share the same AVideo installation are also particularly vulnerable, as a compromise of one user's account could potentially lead to database access for all users.
• php / web:
curl -X POST -d '{"catName: "'$(python3 -c 'print("'; DROP TABLE users;--")')'"}' http://your-avideo-server/objects/videos.json.php• generic web:
grep -i "DROP TABLE" /var/log/apache2/access.log• generic web:
grep -i "SELECT * FROM" /var/log/apache2/error.logdisclosure
Exploit-Status
EPSS
0.04% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade AVideo to version 24.0 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious SQL injection payloads in the catName parameter. Additionally, carefully review and restrict access to the objects/videos.json.php and objects/video.php endpoints. Monitor application logs for unusual SQL query patterns that might indicate an attempted exploit. After upgrading, confirm the fix by attempting a SQL injection payload via the catName parameter and verifying that it is properly sanitized and does not execute arbitrary SQL.
Aktualisieren Sie AVideo auf Version 24.0 oder höher. Diese Version behebt die nicht authentifizierte SQL Injection-Schwachstelle. Das Update kann über das Administrationspanel oder durch Herunterladen der neuesten Softwareversion durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28501 describes a critical SQL Injection vulnerability in AVideo versions prior to 24.0, allowing unauthenticated attackers to execute arbitrary SQL queries and potentially steal the entire database.
You are affected if you are running AVideo versions equal to or less than 21.0.0. Immediately assess your environment and upgrade to version 24.0 or later.
The recommended fix is to upgrade AVideo to version 24.0 or later. As a temporary workaround, implement strict input validation and consider using a WAF.
While no confirmed active exploitation has been publicly reported, the vulnerability's ease of exploitation suggests it could be targeted. Proactive remediation is strongly advised.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-28501. (Note: Specific advisory URL not provided in input data.)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.