GHSA-584P-RPVQ-35VF

Vulnerability from github – Published: 2026-03-26 18:15 – Updated: 2026-03-27 21:40
VLAI?
Summary
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Details

Summary

The fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $clean_title and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL.

Details

File: objects/category.php

Vulnerable code:

public static function fixCleanTitle($clean_title, $count, $id, $original_title = "")
{
    global $global;

    $sql = "SELECT * FROM categories WHERE clean_name = '{$clean_title}' ";
    if (!empty($id)) {
        $sql .= " AND id != {$id} ";
    }
    $sql .= " LIMIT 1";
    $res = sqlDAL::readSql($sql, "", [], true);
    // ...
}

Both $clean_title (a user-supplied category name after slug conversion) and $id (the category ID being edited) are embedded directly into the SQL string. The $clean_title value derives from user input through the category save workflow — it is the "clean" URL-slug version of whatever category name the user submits. No escaping or parameterization is applied before the value is placed inside single quotes in the query.

PoC

An authenticated admin creates or renames a category with the title:

test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -

After slug conversion (which typically only strips spaces and special characters, leaving SQL metacharacters that survive inside single quotes), the backend executes:

SELECT * FROM categories WHERE clean_name = 'test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -'  LIMIT 1

This returns rows from the users table, enabling full credential exfiltration. The $id concatenation point is also injectable via a crafted numeric+SQL-suffix value if integer validation is absent.

Impact

  • Type: SQL Injection (CWE-89)
  • Severity: High
  • Authentication required: Admin-level (category management), though the same pattern may be reachable via lower-privilege paths depending on plugin configuration
  • Impact: Full database read; credentials, private video metadata, user PII accessible via UNION injection
  • Fix: Replace direct interpolation with parameterized queries — use ? placeholders and pass $clean_title and (int)$id as bound parameters
Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:15:11Z",
    "nvd_published_at": "2026-03-27T17:16:29Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL.\n\n### Details\n\n**File:** `objects/category.php`\n\n**Vulnerable code:**\n```php\npublic static function fixCleanTitle($clean_title, $count, $id, $original_title = \"\")\n{\n    global $global;\n\n    $sql = \"SELECT * FROM categories WHERE clean_name = \u0027{$clean_title}\u0027 \";\n    if (!empty($id)) {\n        $sql .= \" AND id != {$id} \";\n    }\n    $sql .= \" LIMIT 1\";\n    $res = sqlDAL::readSql($sql, \"\", [], true);\n    // ...\n}\n```\n\nBoth `$clean_title` (a user-supplied category name after slug conversion) and `$id` (the category ID being edited) are embedded directly into the SQL string. The `$clean_title` value derives from user input through the category save workflow \u2014 it is the \"clean\" URL-slug version of whatever category name the user submits. No escaping or parameterization is applied before the value is placed inside single quotes in the query.\n\n### PoC\n\nAn authenticated admin creates or renames a category with the title:\n```\ntest\u0027 UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -\n```\n\nAfter slug conversion (which typically only strips spaces and special characters, leaving SQL metacharacters that survive inside single quotes), the backend executes:\n```sql\nSELECT * FROM categories WHERE clean_name = \u0027test\u0027 UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -\u0027  LIMIT 1\n```\n\nThis returns rows from the `users` table, enabling full credential exfiltration. The `$id` concatenation point is also injectable via a crafted numeric+SQL-suffix value if integer validation is absent.\n\n### Impact\n\n- **Type:** SQL Injection (CWE-89)\n- **Severity:** High\n- **Authentication required:** Admin-level (category management), though the same pattern may be reachable via lower-privilege paths depending on plugin configuration\n- **Impact:** Full database read; credentials, private video metadata, user PII accessible via UNION injection\n- **Fix:** Replace direct interpolation with parameterized queries \u2014 use `?` placeholders and pass `$clean_title` and `(int)$id` as bound parameters",
  "id": "GHSA-584p-rpvq-35vf",
  "modified": "2026-03-27T21:40:43Z",
  "published": "2026-03-26T18:15:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.