CVE-2026-33767

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is susceptible to a SQL injection issue in the objects/like.php file. The getLike() method uses a prepared statement placeholder for users id but directly concatenates $this->videos id into the SQL query string without proper parameterization. An attacker controlling the videos id value through a crafted request can inject arbitrary SQL code, bypassing the intended protection. The vulnerable code constructs a query like this: SELECT * FROM likes WHERE users id = ? AND videos id = .$this->videos id LIMIT 1;. The videos idparameter originates from user input and is not validated before being included in the query. A proof-of-concept demonstrates that an attacker can submit a like request with a maliciousvideos idvalue, such as1 UNION SELECT user,password,3,4,5,6,7,8 FROM users-- -, to execute an arbitrary SQL query and potentially read the entire database, including user credentials and other sensitive information. The API endpoint /objects/likeAjax.json.phpis used to submit like requests, and the vulnerable parameter isvideos id`.

Recommendations AVideo versions up to and including 26.0 should be updated to a version containing commit 0215d3c4f1ee748b8880254967b51784b8ac4080. As a temporary workaround, consider disabling the like/dislike functionality or restricting access to the objects/like.php file until a patch is applied.