CVE-2026-33767 - Vulnerability Details

CVE-2026-33767 - AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/WWBN/AVideo/commit/0215d3c4f1ee748b8880254967b51784b8ac4080
https://github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc

History

Fri, 27 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
Title		AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
Weaknesses		CWE-89
References		https://github.com/WWBN/AVideo/commit/0215d3c4f1ee748b8880254967b51784b8ac4080 https://github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T16:12:36.907Z

Updated: 2026-03-27T17:27:42.793Z

Reserved: 2026-03-23T18:30:14.127Z

Link: CVE-2026-33767

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T17:16:29.597

Modified: 2026-03-27T17:16:29.597

Link: CVE-2026-33767

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object