CVE-2026-33485 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33485 affects the WWBN AVideo platform, specifically targeting versions up to and including 26.0. This represents a critical authentication bypass flaw that allows unauthenticated attackers to exploit a vulnerable RTMP callback endpoint located at plugin/Live/on_publish.php. The flaw stems from inadequate input validation and sanitization practices within the application's handling of stream keys, creating a pathway for malicious actors to manipulate the system's database interactions through carefully crafted inputs.
The technical implementation of this vulnerability involves the direct interpolation of the $_POST['name'] parameter, which represents the stream key, into SQL queries without proper parameterization or escaping mechanisms. This occurs within two critical functions: LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() where the untrusted input flows directly into database operations. The absence of prepared statements or proper input sanitization creates a time-based blind SQL injection vulnerability that can be exploited through timing attacks to extract sensitive information from the database.
The operational impact of this vulnerability is severe and multifaceted, as it enables attackers to extract complete database contents including user credentials, email addresses, and other sensitive information. The time-based blind SQL injection technique allows for systematic data exfiltration through carefully constructed payloads that manipulate database response times, making it particularly dangerous for applications handling user authentication data. This vulnerability essentially provides attackers with a backdoor to access all user accounts and associated sensitive information stored within the platform's database infrastructure.
This vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and represents a classic case of improper input validation leading to database compromise. The ATT&CK framework categorizes this under T1190 - Exploit Public-Facing Application, where attackers leverage vulnerabilities in publicly accessible services to gain unauthorized access to backend systems. The lack of authentication requirements for the RTMP callback endpoint demonstrates a fundamental flaw in the principle of least privilege, where system components that should require authentication are accessible to unauthenticated users.
Mitigation strategies for this vulnerability include implementing proper parameterized queries or prepared statements in the affected functions, enforcing authentication checks on the RTMP callback endpoint, and applying the patch referenced in commit af59eade82de645b20183cc3d74467a7eac76549. Organizations should also implement input validation and sanitization measures to prevent direct interpolation of user-supplied data into database queries. Regular security auditing of application code, particularly around database interaction points, is essential to prevent similar vulnerabilities from emerging in future releases of the platform.