CVE-2026-33025

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 8.0

Description AVideo is a video-sharing platform. Versions prior to 8.0 contain a SQL Injection issue in the getSqlFromPost() method of Object.php. The $ POST['sort'] array keys are used directly as SQL column identifiers within an ORDER BY clause. While real escape string() was applied, it only escapes string-context characters and does not protect SQL identifiers, rendering it ineffective. The issue stems from the direct use of unsanitized input in constructing a SQL query. The sort parameter within the $ POST request is particularly vulnerable.

Recommendations Versions prior to 8.0 should be upgraded to version 8.0. As a workaround without upgrading, apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9 ]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only.