PHP RCE (CVE-2026-33352)

Overview

A critical security vulnerability has been discovered in WWBN AVideo, an open-source video platform. Tracked as CVE-2026-33352, this flaw is an unauthenticated SQL injection, meaning attackers can exploit it without needing a user account. It affects all versions prior to 26.0.

Vulnerability Details

The vulnerability resides in the objects/category.php file, specifically within the getAllCategories() method. The application attempts to sanitize user input from the doNotShowCats request parameter by removing single-quote characters. However, this protection is insufficient and can be easily bypassed using a common SQL escape technique, allowing an attacker to “break out” of the intended database query.

Crucially, this parameter is not checked by the application’s global security filters in objects/security.php, leaving it completely exposed.

Potential Impact

With a maximum CVSS score of 9.8 (CRITICAL), this vulnerability poses a severe risk. An unauthenticated remote attacker could exploit it to:

• Steal sensitive data from the database, including user credentials, personal information, and video metadata.
• Modify, delete, or corrupt database content, potentially taking the entire video platform offline.
• In some database configurations, potentially gain further access to the underlying server.

Such breaches can lead to significant operational disruption, data loss, and compliance violations. For context on the damage caused by data leaks, you can review historical breach reports.

Remediation and Mitigation

The primary and only complete solution is to immediately upgrade WWBN AVideo to version 26.0 or later, which contains the official patch.

If immediate upgrading is not possible, consider these temporary mitigation steps while you plan the update:

1. Restrict Network Access: Use a firewall or network security group to limit access to the AVideo web interface to only trusted IP addresses (e.g., your organization’s network).
2. Apply a Web Application Firewall (WAF): Deploy or configure a WAF in front of the application with rules specifically designed to block SQL injection payloads. This can help filter malicious requests.

These are stopgap measures and do not replace the need to apply the official patch. System administrators should prioritize this update, as public proof-of-concept code for such flaws often appears quickly. Stay informed on emerging threats by following the latest security news.

Action Summary: Upgrade your WWBN AVideo installation to version 26.0 without delay to resolve this critical vulnerability.