AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP on_publish callback at plugin/Live/on_publish.php is accessible without authentication. The $_POST['name'] parameter (stream key) is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8p58-35c3-ccxxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33485ghsaADVISORY
- github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.