Skip to main content

Avideo CVE-2026-34374

| EUVDEUVD-2026-16750 CRITICAL
SQL Injection (CWE-89)
2026-03-27 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 19:00 euvd
EUVD-2026-16750
Analysis Generated
Mar 27, 2026 - 19:00 vuln.today
CVE Published
Mar 27, 2026 - 18:16 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Live_schedule::keyExists() method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists() when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to Live_schedule::keyExists() undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the live_schedule_id parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.

AnalysisAI

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.

Technical ContextAI

WWBN AVideo is an open-source video platform solution (cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*) that supports RTMP-based live streaming. The vulnerability stems from CWE-89 (SQL Injection) where the Live_schedule::keyExists() method constructs SQL queries using direct string interpolation of the stream key parameter. While LiveTransmition::keyExists() initially employs parameterized queries, the code falls back to the vulnerable Live_schedule method when no results are returned, bypassing the initial protection. This affects the RTMP publish authentication flow, where stream keys are validated before allowing broadcasters to transmit live video. The flaw is distinct from GHSA-pvw4-p2jm-chjm which targets the live_schedule_id parameter in reminder functionality.

RemediationAI

No vendor-released patch identified at time of analysis according to advisory documentation. Organizations should immediately implement compensating controls: deploy a web application firewall with SQL injection signature detection rules targeting the RTMP authentication endpoints, restrict RTMP port access (typically TCP 1935) to trusted IP ranges using network-layer access controls, implement database query monitoring to detect anomalous SQL patterns in Live_schedule table operations, and consider disabling live streaming functionality if not operationally required. Monitor the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88 for upstream patch releases and code commits addressing this issue. Review application logs for suspicious stream key validation attempts showing SQL syntax patterns or timing-based enumeration indicators.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-34374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy