Platform
php
Component
wwbn/avideo
Fixed in
24.0.1
21.0.1
A critical SQL Injection vulnerability has been identified in AVideo, specifically within the objects/videos.json.php and objects/video.php components. This flaw allows an unauthenticated attacker to bypass security checks and inject malicious SQL code through the catName parameter in JSON POST requests. Affected versions include those prior to 21.0.0; a fix is available in version 24.0.
The impact of this SQL Injection vulnerability is severe. An attacker can leverage it to execute arbitrary SQL queries against the AVideo database without authentication. This grants them the ability to perform full database exfiltration, meaning they can steal the entire database contents. Crucially, the vulnerability allows the extraction of sensitive data, including administrator usernames and potentially other confidential information stored within the database. This could lead to complete system compromise and data breaches. The bypass of existing sanitization mechanisms due to the JSON parsing process significantly amplifies the risk, making exploitation relatively straightforward.
This vulnerability is considered high probability due to its unauthenticated nature and the ease of crafting malicious JSON payloads. While no public exploits have been confirmed at the time of writing, the simplicity of the attack vector suggests it could be quickly exploited. The vulnerability was publicly disclosed on 2026-03-02. It's crucial to prioritize remediation to prevent potential exploitation.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade AVideo to version 24.0 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Implement strict input validation on the catName parameter, ensuring it only accepts expected data types and formats. A Web Application Firewall (WAF) can be configured to block requests containing suspicious SQL injection patterns in the JSON payload. Monitor application logs for unusual SQL query activity, particularly those originating from unauthenticated requests. Review and strengthen database user permissions to limit the potential damage from a successful SQL injection attack.
Update AVideo to version 24.0 or later. This version fixes the unauthenticated SQL injection vulnerability. The update can be performed through the administration panel or by downloading the latest version of the software.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28501 describes a critical SQL Injection vulnerability in AVideo versions prior to 24.0, allowing unauthenticated attackers to execute arbitrary SQL queries and potentially steal the entire database.
You are affected if you are running AVideo versions equal to or less than 21.0.0. Immediately assess your environment and upgrade to version 24.0 or later.
The recommended fix is to upgrade AVideo to version 24.0 or later. As a temporary workaround, implement strict input validation and consider using a WAF.
While no confirmed active exploitation has been publicly reported, the vulnerability's ease of exploitation suggests it could be targeted. Proactive remediation is strongly advised.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-28501. (Note: Specific advisory URL not provided in input data.)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.