Critical severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026
WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
CVE-2026-28501
Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 21.0.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-pv87-r9qf-x56pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28501ghsaADVISORY
- github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/releases/tag/24.0ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56pghsax_refsource_CONFIRMWEB
News mentions
1- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026