WWBN AVideo SQL Injection Vulnerability (CVE-2026-33723)
WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.
WWBN AVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33723) affecting versions up to and including 26.0. The vulnerability resides within the Subscribe::save() method located in objects/subscribe.php. The application directly concatenates the $this->users_id property into an INSERT SQL query without proper sanitization or parameterized binding. This property originates from the $_POST['user_id'] parameter in both…
Detection coverage 2
Detect AVideo Subscribe SQL Injection Attempt
criticalDetects potential SQL injection attempts in AVideo's subscribe endpoints by looking for common SQL keywords in the user_id parameter.
Detect AVideo Subscribe Error Based SQL Injection
highDetects potential error based SQL injection attempts in AVideo's subscribe endpoints by looking for common error based SQL keywords in the user_id parameter.
Detection queries are kept inside the platform. Get full rules →