High severity8.8NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33767
CVE-2026-33767
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in objects/like.php, the getLike() method constructs a SQL query using a prepared statement placeholder (?) for users_id but directly concatenates $this->videos_id into the query string without parameterization. An attacker who can control the videos_id value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | < 26.0 | 26.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/0215d3c4f1ee748b8880254967b51784b8ac4080nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vcnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-fj74-qxj7-r3vcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33767ghsaADVISORY
News mentions
0No linked articles in our index yet.