CVE-2026-28501
📋 TL;DR
CVE-2026-28501 is an unauthenticated SQL injection vulnerability in WWBN AVideo that allows attackers to execute arbitrary SQL commands without authentication. The vulnerability affects AVideo versions before 24.0 due to improper sanitization of the catName parameter in JSON POST requests. This can lead to data theft, modification, or complete system compromise.
💻 Affected Systems
- WWBN AVideo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Database information disclosure, data manipulation, and potential authentication bypass.
If Mitigated
Limited impact with proper network segmentation, database permissions, and input validation in place.
🎯 Exploit Status
Exploitation requires sending specially crafted JSON POST requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.0
Vendor Advisory: https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p
Restart Required: No
Instructions:
1. Backup your AVideo installation and database. 2. Download AVideo version 24.0 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Verify the objects/videos.json.php and objects/video.php files contain the security fixes.
🔧 Temporary Workarounds
Input Validation Filter
allImplement additional input validation for JSON parameters before they reach vulnerable components.
# Add input validation in PHP code before processing catName parameter
# Example: if (!preg_match('/^[a-zA-Z0-9_-]+$/', $catName)) { die('Invalid input'); }
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns in JSON POST requests.
# ModSecurity rule example
SecRule REQUEST_BODY "@rx (?i)(union|select|insert|update|delete|drop|create|alter).*" \
"id:1001,phase:2,deny,status:403,msg:'SQL Injection attempt detected'"
# Cloudflare WAF: Enable SQLi protection rules
🧯 If You Can't Patch
- Implement strict network access controls to limit access to AVideo endpoints to trusted IP addresses only.
- Deploy database-level protections including minimal privilege accounts, query logging, and regular security audits.
🔍 How to Verify
Check if Vulnerable:
Check if AVideo version is below 24.0 by examining the version file or admin panel. Test endpoints /objects/videos.json.php and /objects/video.php with JSON POST requests containing SQL injection payloads in catName parameter.Check Version:
grep -r "version\|Version" /path/to/avideo/installation/ | grep -i avideoVerify Fix Applied:
Verify AVideo version is 24.0 or higher. Test the same endpoints with SQL injection payloads to confirm they are properly rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed POST requests to /objects/videos.json.php or /objects/video.php
- Database queries with unusual patterns or syntax errors
Network Indicators:
- POST requests to vulnerable endpoints with JSON payloads containing SQL keywords
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND (uri_path="/objects/videos.json.php" OR uri_path="/objects/video.php") AND request_method="POST" AND (body="*union*" OR body="*select*" OR body="*insert*" OR body="*catName*" AND body="*'*" OR body="*\"*")