Critical severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
CVE-2026-33352
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories() method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters (str_replace("'", '', ...)), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in objects/security.php. Version 26.0 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mcj5-6qr4-95fjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33352ghsaADVISORY
- github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.