Critical severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026
WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
CVE-2026-28501
Description
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 21.0.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pv87-r9qf-x56pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28501ghsaADVISORY
- github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/releases/tag/24.0ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.