<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33651 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33651/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33651/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo SQL Injection Vulnerability (CVE-2026-33651)</title><link>https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-avideo-sql-injection/</guid><description>AVideo versions up to 26.0 are vulnerable to time-based blind SQL injection via the `live_schedule_id` parameter in `remindMe.json.php`, allowing authenticated users to extract arbitrary database contents.</description><content:encoded><![CDATA[<p>AVideo, an open-source video platform, is susceptible to a critical SQL injection vulnerability (CVE-2026-33651) affecting versions up to and including 26.0. The vulnerability lies within the <code>remindMe.json.php</code> endpoint, where the <code>$_REQUEST['live_schedule_id']</code> parameter is mishandled. Despite attempts to sanitize the input using <code>intval()</code> within intermediate functions, the original tainted variable remains unsanitized before being directly concatenated into a SQL <code>LIKE</code> clause within <code>Scheduler_commands::getAllActiveOrToRepeat()</code>. This flaw enables any authenticated user to perform time-based blind SQL injection attacks. The vulnerability was patched in commit 75d45780728294ededa1e3f842f95295d3e7d144. Successful exploitation could lead to unauthorized access and exfiltration of sensitive database information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the AVideo platform with valid credentials.</li>
<li>The attacker crafts a malicious HTTP request targeting the <code>remindMe.json.php</code> endpoint.</li>
<li>The attacker injects SQL code into the <code>live_schedule_id</code> parameter within the request. This parameter is passed unsanitized to the vulnerable function.</li>
<li>The <code>remindMe.json.php</code> script processes the request, passing the tainted <code>live_schedule_id</code> to <code>Scheduler_commands::getAllActiveOrToRepeat()</code>.</li>
<li><code>Scheduler_commands::getAllActiveOrToRepeat()</code> concatenates the injected SQL code into a <code>LIKE</code> clause within a SQL query.</li>
<li>The application executes the malicious SQL query against the AVideo database.</li>
<li>The attacker uses time-based techniques to infer the results of the injected SQL query, extracting data bit by bit.</li>
<li>The attacker successfully exfiltrates sensitive information from the database, such as user credentials, configuration settings, or other confidential data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33651 allows any authenticated user to perform time-based blind SQL injection attacks, leading to the complete compromise of the AVideo database. This can result in the exfiltration of sensitive data, including user credentials and system configurations. Given that AVideo is a video platform, the exposed data could also include information about video content, user activity, and potentially even the videos themselves. The number of affected installations is unknown.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 75d45780728294ededa1e3f842f95295d3e7d144 to remediate CVE-2026-33651.</li>
<li>Deploy the Sigma rule &quot;Detect AVideo SQL Injection Attempt&quot; to detect exploitation attempts against the <code>remindMe.json.php</code> endpoint.</li>
<li>Monitor web server logs for suspicious requests containing SQL syntax in the <code>live_schedule_id</code> parameter of the <code>remindMe.json.php</code> endpoint.</li>
<li>Implement input validation and sanitization for all user-supplied input to prevent SQL injection vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>sql-injection</category><category>cve-2026-33651</category><category>webserver</category></item></channel></rss>