CRITICALVulnerability
Verified
Global
NVD CRITICAL: CVE-2026-33770 — WWBN AVideo is an open source video platform. In versions up to and including 26...
Friday, March 27, 2026 at 05:16 PM UTC·Source: NIST NVD
Updated: Thursday, April 2, 2026 at 05:46 PM UTC
Executive Summary
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value c
Analysis
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. Commit 994cc2b3d802b819e07e6088338e8bf4e484aae4 contains a patch.
CVSS Score: 9.8. Published: 2026-03-27T17:16:29.747.