GHSA-PV87-R9QF-X56P

Vulnerability from github – Published: 2026-03-02 20:49 – Updated: 2026-03-06 14:23
VLAI?
Summary
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
Details

Impact

An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components.

The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms.

This allows an unauthenticated attacker to:

  • Execute arbitrary SQL queries
  • Perform full database exfiltration
  • Extract sensitive data including administrator usernames, password hashes, session identifiers and user records
  • Potentially escalate privileges by cracking password hashes offline
  • Chain with authenticated vulnerabilities to achieve full system compromise

This vulnerability is classified as: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

Patches

This vulnerability has been fixed in version 23.

Users must upgrade to version 23 or later.

Workarounds

There is no reliable workaround.

The only recommended mitigation is to upgrade immediately to version 23 upon its release.

References

Internal security report.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "21.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T20:49:43Z",
    "nvd_published_at": "2026-03-06T04:16:08Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\n\nAn unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components.\n\nThe application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms.\n\nThis allows an unauthenticated attacker to:\n\n- Execute arbitrary SQL queries\n- Perform full database exfiltration\n- Extract sensitive data including administrator usernames, password hashes, session identifiers and user records\n- Potentially escalate privileges by cracking password hashes offline\n- Chain with authenticated vulnerabilities to achieve full system compromise\n\nThis vulnerability is classified as:\n- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)\n\n\n## Patches\n\nThis vulnerability has been fixed in version 23.\n\nUsers must upgrade to version 23 or later.\n\n\n## Workarounds\n\nThere is no reliable workaround.\n\nThe only recommended mitigation is to upgrade immediately to version 23 upon its release.\n\n\n## References\n\nInternal security report.",
  "id": "GHSA-pv87-r9qf-x56p",
  "modified": "2026-03-06T14:23:56Z",
  "published": "2026-03-02T20:49:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/releases/tag/24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.