Platform
php
Component
avideo
Fixed in
26.0.1
CVE-2026-34374 describes a critical SQL Injection vulnerability affecting AVideo, an open-source video platform. This flaw arises from improper handling of stream keys within the Live_schedule::keyExists() method, allowing attackers to inject malicious SQL code. Versions up to and including 26.0 are vulnerable. A fix is available via upgrading to a patched version of AVideo.
An attacker exploiting this SQL Injection vulnerability could potentially gain unauthorized access to sensitive data stored within the AVideo database. This includes user credentials, video metadata, and potentially other application-specific information. Successful exploitation could lead to data breaches, modification of data, or even complete system compromise. The lack of parameterization in the SQL query construction makes this vulnerability particularly dangerous, as it bypasses standard input validation techniques. The impact is amplified by the potential for lateral movement within the affected system if the database user has sufficient privileges.
This vulnerability was publicly disclosed on 2026-03-27. The severity is rated as CRITICAL (CVSS 9.1). While no public proof-of-concept (PoC) has been identified at the time of writing, the ease of exploitation inherent in SQL Injection vulnerabilities suggests a high probability of exploitation. It is recommended to prioritize remediation efforts. This vulnerability is distinct from a previously reported issue (GHSA-pvw4-p2jm-chjm) and should be addressed independently.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34374 is to upgrade AVideo to a version containing the security patch. If immediate upgrading is not feasible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the Liveschedule::keyExists() endpoint. Thoroughly review and sanitize all user-supplied input before incorporating it into SQL queries. Monitor database logs for unusual activity or SQL errors that may indicate exploitation attempts. After upgrading, confirm the fix by attempting a SQL injection attack on the Liveschedule::keyExists() endpoint and verifying that the attack is properly blocked.
Update AVideo to a patched version that fixes the SQL Injection vulnerability. Since no patched versions are available at the time of publication, it is recommended to monitor WWBN security updates and apply the patch as soon as it is available. As a temporary measure, strict validation of the stream key can be implemented before interpolating it into the SQL query.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34374 is a critical SQL Injection vulnerability in AVideo versions up to 26.0, allowing attackers to inject malicious SQL code into database queries.
If you are running AVideo version 26.0 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade immediately.
The recommended fix is to upgrade AVideo to a patched version that addresses this vulnerability. Consider a WAF as a temporary mitigation.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of future attacks. Proactive remediation is crucial.
Refer to the AVideo project's official website and security advisories for the latest information and patch releases.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.