HIGHVulnerability
Verified
Global
NVD HIGH: CVE-2026-33767 — WWBN AVideo is an open source video platform. In versions up to and including 26...
Friday, March 27, 2026 at 05:16 PM UTC·Source: NIST NVD
Updated: Thursday, April 2, 2026 at 05:46 PM UTC
Executive Summary
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary
Analysis
WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection. Commit 0215d3c4f1ee748b8880254967b51784b8ac4080 contains a patch.
CVSS Score: 8.8. Published: 2026-03-27T17:16:29.597.