WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $clean_title and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33770.json",
"cwe_ids": [
"CWE-89"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*"
}