CVE-2026-33352

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description AVideo, an open source video platform, contains an unauthenticated SQL injection flaw in the objects/category.php file within the getAllCategories() method. The doNotShowCats request parameter undergoes insufficient sanitization, only stripping single quotes, which is easily bypassed using backslash escaping. This parameter is also not covered by the application's global input filters. Exploitation involves crafting a malicious request to manipulate SQL queries, potentially leading to full database access, data modification, or even remote code execution. The vulnerability resides in the way the doNotShowCats parameter is handled and concatenated into SQL queries without proper sanitization or the use of parameterized queries. The flaw allows attackers to inject arbitrary SQL code by exploiting the incomplete sanitization and lack of global filter coverage.

Recommendations Versions prior to 26.0: Upgrade to version 26.0 or later to address the vulnerability. As a temporary workaround, consider disabling the affected functionality or restricting access to the objects/category.php file. Alternatively, implement parameterized queries to prevent SQL injection attacks.