CVE-2026-33723

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform susceptible to a SQL injection flaw. The Subscribe::save() method within objects/subscribe.php directly incorporates the this->users id property into an SQL INSERT query without proper sanitization or parameterized binding. This property is sourced from the $ POST['user id'] parameter, accessible through both subscribe.json.php and subscribeNotify.json.php. An authenticated attacker can leverage this to inject arbitrary SQL code, potentially extracting sensitive data such as password hashes, API keys, and encryption salts. The vulnerable parameter is user id. The API endpoint involved is subscribe.php.

Recommendations Update to a version beyond 26.0.