CVE-2026-28501

CRITICAL
2026-03-06 [email protected] GHSA-pv87-r9qf-x56p
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 04:16 nvd
CRITICAL 9.8

Tags

PHP SQLi Avideo

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Analysis

Unauthenticated SQL injection in AVideo before 24.0.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all AVideo deployments and confirm affected versions; isolate or restrict external access to AVideo instances pending remediation. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns; implement database activity monitoring; consider disabling public-facing AVideo features if risk tolerance is low. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2026-28501 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy