{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33651", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.217Z", "datePublished": "2026-03-23T18:38:22.655Z", "dateUpdated": "2026-03-24T14:26:15.593Z"}, "containers": {"cna": {"title": "AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm"}, {"name": "https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:38:22.655Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch."}], "source": {"advisory": "GHSA-pvw4-p2jm-chjm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:25:58.063598Z", "id": "CVE-2026-33651", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:26:15.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33651", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:25:58.063598Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:26:07.584Z"}}], "cna": {"title": "AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()", "source": {"advisory": "GHSA-pvw4-p2jm-chjm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144", "name": "https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:38:22.655Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33651", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:26:15.593Z", "dateReserved": "2026-03-23T15:23:42.217Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:38:22.655Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint 'remindMe.json.php' pasa '$_REQUEST['live_schedule_id']' a trav\u00e9s de m\u00faltiples funciones sin sanitizaci\u00f3n hasta que llega a 'Scheduler_commands::getAllActiveOrToRepeat()', que lo concatena directamente en una cl\u00e1usula SQL 'LIKE'. Aunque las funciones intermedias ('new Live_schedule()', 'getUsers_idOrCompany()') aplican 'intval()' internamente, lo hacen en copias locales dentro de 'ObjectYPT::getFromDb()', dejando la variable original contaminada sin cambios. Cualquier usuario autenticado puede realizar una inyecci\u00f3n SQL ciega basada en tiempo para extraer contenido arbitrario de la base de datos. El commit 75d45780728294ededa1e3f842f95295d3e7d144 contiene un parche."}], "id": "CVE-2026-33651", "lastModified": "2026-03-25T18:02:12.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T19:16:41.383", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T20:04:40.939536+00:00", "value": {"mitigation_remediation": ["Apply the patch contained in commit 75d45780728294ededa1e3f842f95295d3e7d144 to secure the remindMe.json.php endpoint.", "Ensure the AVideo instance is updated to a version newer than 26.0; verify the current installation version and upgrade if necessary.", "If immediate patching is not possible, constrain access to the remindMe.json.php endpoint to trusted users or implement additional authentication checks.", "Review database permissions and restrict access to sensitive tables to limit the potential damage from a successful injection."], "summary": {"action": "Patch Now", "impact": "Data Breach"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, an open source video platform. Versions up to and including 26.0 are vulnerable. The issue stems from the remindMe.json.php endpoint in the scheduler component, which relies on the live_schedule_id request parameter. Upgrading beyond version 26.0 or applying the vendor patch eliminates the flaw.", "description_and_impact": "A blind SQL injection vulnerability exists in the AVideo platform\u2019s remindMe.json.php endpoint, allowing any authenticated user to inject malicious SQL through the live_schedule_id parameter. The application passes this value through several functions without proper sanitization; only local copies are converted to integers, leaving the original tainted variable to be concatenated directly into a SQL LIKE clause. This flaw permits attackers to perform time\u2011based blind injections and retrieve arbitrary database contents, potentially exposing confidential user data and system configuration. The underlying weakness is identified as CWE\u201189 and can lead to significant confidentiality compromise, and if the database contains privileged information, it could also impact integrity.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog, implying no known widespread exploitation yet. A valid authenticated session is required to exploit the flaw, and the attack vector is inferred to be a remote web-based request to the remindMe.json.php endpoint. Because the attack requires sustained time\u2011based queries to infer data, successful exploitation would likely be noticeable to vigilant monitoring. Overall, the risk remains high due to the severe impact of data exfiltration, despite the low EPSS."}}}}, "created": "2026-03-24T10:33:18.616526+00:00", "updated": "2026-03-25T20:37:10.406994+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}