CVE-2026-28501

Critical

Published: 06 March 2026

Published

06 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2574 96.3th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via…

a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating and sanitizing untrusted inputs like the catName parameter in JSON POST requests to prevent SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of flaws such as this SQL injection vulnerability fixed in AVideo version 24.0.

SC-7 Boundary Protection partial match

preventdetect

Enables deployment of web application firewalls at system boundaries to inspect and block malicious SQL payloads targeting the affected endpoints.

Security SummaryAI

CVE-2026-28501 is an unauthenticated SQL injection vulnerability (CWE-89) affecting WWBN AVideo, an open-source video platform, in versions prior to 24.0. The flaw resides in the objects/videos.json.php and objects/video.php components, where the catName parameter supplied via a JSON-formatted POST request body is not properly sanitized. JSON input is parsed and merged into the $_REQUEST superglobal after global security checks have executed, allowing payloads to bypass existing sanitization mechanisms. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Any unauthenticated attacker with network access can exploit this vulnerability by sending a crafted JSON POST request to the affected endpoints, injecting malicious SQL via the catName parameter. Successful exploitation could enable arbitrary SQL query execution, potentially leading to full database compromise, including data exfiltration, modification, or deletion, as well as server-side availability disruption.

The issue has been addressed in AVideo version 24.0, as detailed in the project's GitHub security advisory (GHSA-pv87-r9qf-x56p), release notes, and the patching commit. Security practitioners should upgrade to version 24.0 or later and review access logs for suspicious POST requests to the affected components.

Details

CWE(s): CWE-89

Affected Products

wwbn

avideo

≤ 24.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated SQL injection in public-facing web application endpoints directly enables exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/releases/tag/24.0
Product, Release Notes · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p
Vendor Advisory · security-advisories@github.com