{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33651/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","sql-injection","cve-2026-33651","webserver"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33651) affecting versions up to and including 26.0. The vulnerability lies within the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint, where the \u003ccode\u003e$_REQUEST['live_schedule_id']\u003c/code\u003e parameter is mishandled. Despite attempts to sanitize the input using \u003ccode\u003eintval()\u003c/code\u003e within intermediate functions, the original tainted variable remains unsanitized before being directly concatenated into a SQL \u003ccode\u003eLIKE\u003c/code\u003e clause within \u003ccode\u003eScheduler_commands::getAllActiveOrToRepeat()\u003c/code\u003e. This flaw enables any authenticated user to perform time-based blind SQL injection attacks. The vulnerability was patched in commit 75d45780728294ededa1e3f842f95295d3e7d144. Successful exploitation could lead to unauthorized access and exfiltration of sensitive database information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the AVideo platform with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u003ccode\u003elive_schedule_id\u003c/code\u003e parameter within the request. This parameter is passed unsanitized to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eremindMe.json.php\u003c/code\u003e script processes the request, passing the tainted \u003ccode\u003elive_schedule_id\u003c/code\u003e to \u003ccode\u003eScheduler_commands::getAllActiveOrToRepeat()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eScheduler_commands::getAllActiveOrToRepeat()\u003c/code\u003e concatenates the injected SQL code into a \u003ccode\u003eLIKE\u003c/code\u003e clause within a SQL query.\u003c/li\u003e\n\u003cli\u003eThe application executes the malicious SQL query against the AVideo database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based techniques to infer the results of the injected SQL query, extracting data bit by bit.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates sensitive information from the database, such as user credentials, configuration settings, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33651 allows any authenticated user to perform time-based blind SQL injection attacks, leading to the complete compromise of the AVideo database. This can result in the exfiltration of sensitive data, including user credentials and system configurations. Given that AVideo is a video platform, the exposed data could also include information about video content, user activity, and potentially even the videos themselves. The number of affected installations is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 75d45780728294ededa1e3f842f95295d3e7d144 to remediate CVE-2026-33651.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AVideo SQL Injection Attempt\u0026quot; to detect exploitation attempts against the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL syntax in the \u003ccode\u003elive_schedule_id\u003c/code\u003e parameter of the \u003ccode\u003eremindMe.json.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/","summary":"AVideo versions up to 26.0 are vulnerable to time-based blind SQL injection via the `live_schedule_id` parameter in `remindMe.json.php`, allowing authenticated users to extract arbitrary database contents.","title":"AVideo SQL Injection Vulnerability (CVE-2026-33651)","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33651","version":"https://jsonfeed.org/version/1.1"}