CVE-2026-33767

HIGH
2026-03-26 https://github.com/WWBN/AVideo
7.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 18:15 vuln.today
Patch Released
Mar 26, 2026 - 18:15 nvd
Patch available
CVE Published
Mar 26, 2026 - 18:12 nvd
HIGH 7.1

Tags

PHP SQLi

Description

### Summary In `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. ### Details **File:** `objects/like.php` **Vulnerable code:** ```php $sql = "SELECT * FROM likes WHERE users_id = ? AND videos_id = ".$this->videos_id." LIMIT 1;"; $res = sqlDAL::readSql($sql, "i", [$this->users_id]); ``` The query mixes a parameterized placeholder for `users_id` with raw string concatenation for `videos_id`. The `$this->videos_id` value originates from user-supplied request input (typically a POST/GET parameter identifying the video being liked/disliked) and is not cast to integer or validated before being embedded in the SQL string. All other queries in the same file correctly use `?` placeholders for both columns: ```php // Correct pattern used elsewhere: $sql = "SELECT count(*) as total FROM likes WHERE videos_id = ? AND like = 1"; ``` The inconsistency means any attacker who can submit a like/dislike action with a crafted `videos_id` can inject SQL. Since like/dislike actions are typically available to any authenticated user, the attack surface is broad. ### PoC An attacker sends a like request with an injected `videos_id`: ``` POST /objects/likeAjax.json.php videos_id=1 UNION SELECT user,password,3,4,5,6,7,8 FROM users-- - ``` This causes the backend to execute: ```sql SELECT * FROM likes WHERE users_id = 1 AND videos_id = 1 UNION SELECT user,password,3,4,5,6,7,8 FROM users-- - LIMIT 1; ``` Result: full database read - user credentials, emails, private content, and any other data accessible to the MySQL user. ### Impact - **Severity:** High - **Authentication required:** Yes (must be logged in to like a video), but all registered users qualify - **Impact:** Full database read via UNION-based injection; potential for data modification or deletion depending on DB user privileges - **Fix:** Replace the concatenation with a second `?` placeholder and pass `$this->videos_id` as a bound integer parameter

Analysis

SQL injection in WWBN AVideo objects/like.php allows authenticated users to read and potentially modify the entire database by injecting malicious payloads into the videos_id parameter during like/dislike actions. The vulnerability affects pkg:composer/wwbn_avideo and arises from mixing parameterized queries with direct string concatenation. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all systems running pkg:composer/wwbn_avideo and document current versions. Within 7 days: Apply the vendor-released patch to all affected WWBN AVideo instances; verify patch deployment across production and non-production environments. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-33767 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy