CVE-2026-28501CRITICAL 9.8EPSS p71.1%

CVE-2026-28501CVE-2026-28501

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.51% probability of exploitation · percentile 71.1% · 2026-06-18T12:00:27Z
Published2026-03-06
Last modified2026-03-16

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1
  2. https://github.com/WWBN/AVideo/releases/tag/24.0
  3. https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33352
CVE
CVE-2026-33770
CVE
CVE-2026-33767
CVE
CVE-2026-33025
CVE
CVE-2026-33038
CVE
CVE-2026-41064
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.