VYPR
Critical severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026

WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php

CVE-2026-28501

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wwbn/avideoPackagist
<= 21.0.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

1