CVE-2026-33485

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions up to and including 26.0

Description The RTMP on publish callback at plugin/Live/on publish.php lacks authentication. The $ POST['name'] parameter, representing the stream key, is directly incorporated into SQL queries within the LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() functions without proper sanitization or parameterized binding. This allows an unauthenticated attacker to perform time-based blind SQL injection, potentially extracting all database contents, including user password hashes, email addresses, and other sensitive data. The insufficient sanitization on line 117 of plugin/Live/on publish.php only strips '&' and '=' characters. The sqlDAL::readSql() function does not provide protection when called without format/values parameters, as it compiles the injected SQL directly. Exploitation can be achieved through crafted curl requests, leveraging the injection points to extract data character by character. An attacker could potentially authenticate as any user to the streaming system by using extracted password hashes.

Recommendations Versions up to and including 26.0: Use parameterized queries in the LiveTransmition::keyExists() function at plugin/Live/Objects/LiveTransmition.php:298-303. Versions up to and including 26.0: Use parameterized queries in the LiveTransmitionHistory::getLatest() function at plugin/Live/Objects/LiveTransmitionHistory.php:494-495. Versions up to and including 26.0: Use parameterized queries in the LiveTransmitionHistory::getLatestFromKey() function at plugin/Live/Objects/LiveTransmitionHistory.php:681-688.