Php RCE Vulnerability (CVE-2026-28501)

Overview

A critical security vulnerability has been identified in WWBN AVideo, an open-source video platform. This flaw allows an unauthenticated attacker to perform SQL Injection attacks, potentially giving them complete control over the affected database and application.

Vulnerability Details

In versions prior to 24.0, the AVideo platform contains a significant security weakness in two key components: objects/videos.json.php and objects/video.php. The vulnerability stems from how the application handles the catName parameter when it is sent within a JSON-formatted POST request.

Normally, the application has security checks to sanitize user input and prevent SQL injection. However, due to a flaw in the processing order, JSON data is merged into the application’s request variables after these global security checks have already run. This means malicious SQL code hidden within a JSON payload bypasses all existing protections, allowing it to reach and manipulate the database directly.

Potential Impact

The impact of this vulnerability is severe. An attacker exploiting this flaw can:

• Access, modify, or delete any data in the application’s database, including user credentials, video metadata, and system configurations.
• Compromise the underlying server, potentially leading to a full system takeover.
• Disrupt service availability by corrupting or destroying database contents.

Because the attack requires no authentication (unauthenticated), it is especially dangerous and easy to exploit.

Remediation and Mitigation

The primary and definitive solution is to upgrade immediately to AVideo version 24.0 or later, where the vendor has released a patch to correct this vulnerability.

Immediate Action Steps:

1. Upgrade: All users of WWBN AVideo must upgrade their installation to version 24.0 without delay.
2. Verify: Confirm that your deployment is running the patched version. The vulnerability affects all versions prior to 24.0.
3. Monitor: Review application and database logs for any suspicious activity or unexpected SQL queries, particularly those targeting the affected components.

If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) with rules to block SQL injection patterns as a temporary, secondary mitigation. However, this is not a substitute for applying the official patch.

For administrators, this serves as a reminder to maintain a regular patch management schedule for all software components, especially publicly accessible web applications.