CVE-2026-28501

Impact

An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components.

The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms.

This allows an unauthenticated attacker to:

• Execute arbitrary SQL queries
• Perform full database exfiltration
• Extract sensitive data including administrator usernames, password hashes, session identifiers and user records
• Potentially escalate privileges by cracking password hashes offline
• Chain with authenticated vulnerabilities to achieve full system compromise

This vulnerability is classified as:

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

​

Patches

This vulnerability has been fixed in version 23.

Users must upgrade to version 23 or later.

​

Workarounds

There is no reliable workaround.

The only recommended mitigation is to upgrade immediately to version 23 upon its release.

​

References

Internal security report.