What is the CVSS score of CVE-2026-28501?

CVE-2026-28501 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-28501?

A critical SQL injection vulnerability (CVSS 9.8) affects WWBN AVideo versions up to 24.0, allowing unauthenticated attackers to potentially access, modify, or exfiltrate sensitive data from video…

PHP CVE-2026-28501

CRITICAL

SQL Injection (CWE-89)

2026-03-06 security-advisories@github.com

GHSA-pv87-r9qf-x56p

PHP SQLi Avideo

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 06, 2026 - 04:16 nvd

CRITICAL 9.8

DescriptionNVD

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

AnalysisAI

Unauthenticated SQL injection in AVideo before 24.0.

RemediationAI

Within 24 hours: Inventory all AVideo deployments and confirm affected versions; isolate or restrict external access to AVideo instances pending remediation. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns; implement database activity monitoring; consider disabling public-facing AVideo features if risk tolerance is low. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28501 vulnerability details – vuln.today

Back

PHP CVE-2026-28501

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code