CVE-2026-33485

HIGH wwbn NVD

CVSS Score 7.5

Severity HIGH

Published Mar 23, 2026

Vendor wwbn

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch.

References

https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549
https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx