CVE-2026-28501

high-risk

Published 2026-03-06

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.

Do I need to act?

20.9% chance of exploitation in next 30 days

EPSS score — higher than 79% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Avideo

Affected Vendors

Wwbn

References (3)

Patch https://github.com/WWBN/AVideo/commit/0c10be681c64044618ab94473251bd7c9b114fa1

Product https://github.com/WWBN/AVideo/releases/tag/24.0

Vendor Advisory https://github.com/WWBN/AVideo/security/advisories/GHSA-pv87-r9qf-x56p

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 5/34 · Minimal