プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0.1
CVE-2026-33352 describes a critical SQL injection vulnerability affecting wwbn/avideo versions up to 26.0. This flaw allows unauthenticated attackers to inject malicious SQL code through the doNotShowCats request parameter, potentially compromising sensitive data. The vulnerability resides in the getAllCategories() method within objects/category.php. A fix is available in version 26.0.
Successful exploitation of CVE-2026-33352 could allow an attacker to bypass authentication and directly manipulate the database. This could result in unauthorized access to sensitive information, including user credentials, financial data, and other confidential records. Depending on the database structure and permissions, an attacker might also be able to modify or delete data, leading to denial of service or further compromise. The lack of authentication required for exploitation significantly broadens the attack surface, making it a high-priority concern.
CVE-2026-33352 was publicly disclosed on 2026-03-19. While no public proof-of-concept (PoC) has been released, the ease of bypassing the existing sanitization makes exploitation likely. The vulnerability's CRITICAL CVSS score and unauthenticated nature suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing wwbn/avideo versions prior to 26.0, particularly those with publicly accessible instances and inadequate input validation practices, are at significant risk. Shared hosting environments where multiple users share the same database are especially vulnerable, as a compromise of one user's account could potentially lead to broader data breaches.
• wordpress / composer / npm:
grep -r "$_REQUEST['doNotShowCats']" objects/category.php• generic web:
curl -I 'http://your-avideo-site.com/objects/category.php?doNotShowCats='; # Check for SQL injection indicators in the response headers.disclosure
エクスプロイト状況
EPSS
0.04% (11% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33352 is to immediately upgrade to version 26.0 or later of wwbn/avideo. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL injection patterns in the doNotShowCats parameter. Thoroughly review and strengthen input validation routines in objects/security.php to ensure all request parameters are properly sanitized. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple SQL query through the doNotShowCats parameter and verifying that it is properly rejected.
AVideo をバージョン 26.0 以降にアップデートしてください。このバージョンには、SQL インジェクションの脆弱性に対する修正が含まれています。アップデートにより、認証されていない攻撃者がこの脆弱性を悪用することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33352 is a critical SQL injection vulnerability in wwbn/avideo versions 26.0 and earlier, allowing attackers to inject malicious SQL code via the 'doNotShowCats' parameter.
If you are using wwbn/avideo versions 26.0 or earlier, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade to version 26.0 or later of wwbn/avideo to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While no confirmed exploitation is public, the ease of exploitation suggests a high probability of attacks. Monitor your systems closely.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33352.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。