平台
php
组件
wwbn/avideo
修复版本
26.0.1
26.0.1
CVE-2026-33352 describes a critical SQL injection vulnerability affecting wwbn/avideo versions up to 26.0. This flaw allows unauthenticated attackers to inject malicious SQL code through the doNotShowCats request parameter, potentially compromising sensitive data. The vulnerability resides in the getAllCategories() method within objects/category.php. A fix is available in version 26.0.
Successful exploitation of CVE-2026-33352 could allow an attacker to bypass authentication and directly manipulate the database. This could result in unauthorized access to sensitive information, including user credentials, financial data, and other confidential records. Depending on the database structure and permissions, an attacker might also be able to modify or delete data, leading to denial of service or further compromise. The lack of authentication required for exploitation significantly broadens the attack surface, making it a high-priority concern.
CVE-2026-33352 was publicly disclosed on 2026-03-19. While no public proof-of-concept (PoC) has been released, the ease of bypassing the existing sanitization makes exploitation likely. The vulnerability's CRITICAL CVSS score and unauthenticated nature suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing wwbn/avideo versions prior to 26.0, particularly those with publicly accessible instances and inadequate input validation practices, are at significant risk. Shared hosting environments where multiple users share the same database are especially vulnerable, as a compromise of one user's account could potentially lead to broader data breaches.
• wordpress / composer / npm:
grep -r "$_REQUEST['doNotShowCats']" objects/category.php• generic web:
curl -I 'http://your-avideo-site.com/objects/category.php?doNotShowCats='; # Check for SQL injection indicators in the response headers.disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-33352 is to immediately upgrade to version 26.0 or later of wwbn/avideo. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL injection patterns in the doNotShowCats parameter. Thoroughly review and strengthen input validation routines in objects/security.php to ensure all request parameters are properly sanitized. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple SQL query through the doNotShowCats parameter and verifying that it is properly rejected.
将 AVideo 更新到 26.0 或更高版本。此版本包含针对 SQL 注入漏洞的修复。更新将防止未经授权的攻击者利用此漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33352 is a critical SQL injection vulnerability in wwbn/avideo versions 26.0 and earlier, allowing attackers to inject malicious SQL code via the 'doNotShowCats' parameter.
If you are using wwbn/avideo versions 26.0 or earlier, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade to version 26.0 or later of wwbn/avideo to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While no confirmed exploitation is public, the ease of exploitation suggests a high probability of attacks. Monitor your systems closely.
Refer to the official wwbn/avideo security advisory for detailed information and updates regarding CVE-2026-33352.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。