{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33485/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","sqli","unauthenticated","cve-2026-33485"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is vulnerable to a critical SQL injection flaw. Specifically, versions up to and including 26.0 are affected. The vulnerability resides in the RTMP \u003ccode\u003eon_publish\u003c/code\u003e callback, located at \u003ccode\u003eplugin/Live/on_publish.php\u003c/code\u003e, which is accessible without authentication. The \u003ccode\u003e$_POST['name']\u003c/code\u003e parameter, representing the stream key, is directly embedded into SQL queries within \u003ccode\u003eLiveTransmitionHistory::getLatest()\u003c/code\u003e and \u003ccode\u003eLiveTransmition::keyExists()\u003c/code\u003e. This direct interpolation, without proper sanitization or parameterized binding, allows an unauthenticated attacker to perform time-based blind SQL injection. Successful exploitation enables the attacker to extract the entire database content, potentially including user password hashes, email addresses, and other sensitive data. This vulnerability poses a significant risk to AVideo installations, potentially leading to data breaches and unauthorized access. A patch is available in commit af59eade82de645b20183cc3d74467a7eac76549.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted RTMP \u003ccode\u003eon_publish\u003c/code\u003e request to the \u003ccode\u003e/plugin/Live/on_publish.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a malicious \u003ccode\u003e$_POST['name']\u003c/code\u003e parameter containing SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe AVideo application receives the request and processes the \u003ccode\u003eon_publish\u003c/code\u003e callback.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eLiveTransmitionHistory::getLatest()\u003c/code\u003e and \u003ccode\u003eLiveTransmition::keyExists()\u003c/code\u003e, passing the unsanitized \u003ccode\u003e$_POST['name']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e$_POST['name']\u003c/code\u003e parameter is directly interpolated into SQL queries executed against the AVideo database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based blind SQL injection techniques to extract data bit-by-bit by observing the response time.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data such as user credentials (password hashes), email addresses, and other database contents.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to gain unauthorized access to user accounts or the AVideo system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33485 allows an unauthenticated attacker to extract the entire database content from vulnerable AVideo instances. This includes sensitive information such as user credentials (password hashes), email addresses, and potentially other confidential data stored within the database. The impact could range from unauthorized access to user accounts to a complete data breach, depending on the database contents. The number of affected AVideo installations is unknown, but the widespread use of the platform suggests a potentially large number of vulnerable systems. The lack of authentication required for exploitation makes this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in commit af59eade82de645b20183cc3d74467a7eac76549 or upgrade to a version of AVideo that includes this fix to remediate CVE-2026-33485.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect AVideo Unauthenticated SQL Injection Attempt\u0026quot; to identify potential exploitation attempts against the \u003ccode\u003e/plugin/Live/on_publish.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out malicious requests to \u003ccode\u003e/plugin/Live/on_publish.php\u003c/code\u003e containing suspicious SQL injection payloads in the \u003ccode\u003e$_POST['name']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-sqli/","summary":"WWBN AVideo versions up to 26.0 are vulnerable to unauthenticated SQL injection via the RTMP `on_publish` callback, allowing attackers to extract sensitive database information.","title":"WWBN AVideo Unauthenticated SQL Injection Vulnerability (CVE-2026-33485)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-avideo-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33485","version":"https://jsonfeed.org/version/1.1"}