CVE-2026-28501

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 23

Description The software contains an unauthenticated SQL injection flaw within the objects/videos.json.php and objects/video.php components. The application does not properly sanitize the catName parameter when received in a JSON-formatted POST request, bypassing existing security checks. This allows an attacker to execute arbitrary SQL queries, potentially leading to database exfiltration, extraction of sensitive data like administrator usernames and password hashes, privilege escalation, and full system compromise. The issue is categorized as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).

Recommendations Upgrade to version 23 or later.