CVE-2026-33651

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The remindMe.json.php endpoint passes the $ REQUEST['live schedule id'] variable through multiple functions without proper sanitization. This ultimately leads to direct concatenation of the variable into a SQL LIKE clause within the Scheduler commands::getAllActiveOrToRepeat() function. While some intermediate functions apply intval() to local copies of the variable, the original tainted variable remains unchanged. This allows an authenticated user to perform time-based blind SQL injection to extract arbitrary database contents.

Recommendations Update AVideo to a version newer than 26.0.