Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33770

AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Back to all
CVE

CVE-2026-33770

AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

Summary

The fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $clean_title and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL.

Details

File: objects/category.php

Vulnerable code:

public static function fixCleanTitle($clean_title, $count, $id, $original_title = "")
{
    global $global;
    $sql = "SELECT * FROM categories WHERE clean_name = '{$clean_title}' ";
    if (!empty($id)) {
        $sql .= " AND id != {$id} ";
    }
    $sql .= " LIMIT 1";
    $res = sqlDAL::readSql($sql, "", [], true);
    // ...
}

Both $clean_title (a user-supplied category name after slug conversion) and $id (the category ID being edited) are embedded directly into the SQL string. The $clean_title value derives from user input through the category save workflow — it is the "clean" URL-slug version of whatever category name the user submits. No escaping or parameterization is applied before the value is placed inside single quotes in the query.

PoC

An authenticated admin creates or renames a category with the title:

test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -

After slug conversion (which typically only strips spaces and special characters, leaving SQL metacharacters that survive inside single quotes), the backend executes:

SELECT * FROM categories WHERE clean_name = 'test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -'  LIMIT 1

This returns rows from the users table, enabling full credential exfiltration. The $id concatenation point is also injectable via a crafted numeric+SQL-suffix value if integer validation is absent.

Impact

  • Type: SQL Injection (CWE-89)
  • Severity: High
  • Authentication required: Admin-level (category management), though the same pattern may be reachable via lower-privilege paths depending on plugin configuration
  • Impact: Full database read; credentials, private video metadata, user PII accessible via UNION injection
  • Fix: Replace direct interpolation with parameterized queries — use ? placeholders and pass $clean_title and (int)$id as bound parameters

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf, https://nvd.nist.gov/vuln/detail/CVE-2026-33770, https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07e6088338e8bf4e484aae4, https://github.com/WWBN/AVideo

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00047%
EPSS Percentile
0.14401%
Introduced Version
0
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading