CVE-2026-33770

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating the $clean title and $id variables into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL. The vulnerable code is located in the fixCleanTitle() function. The $clean title variable, derived from user input, and the $id variable are directly embedded into the SQL string without proper escaping or parameterization. An attacker can exploit this by providing a malicious title, such as test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -, to exfiltrate credentials and other sensitive data from the users table. The API endpoint used for category creation or renaming is susceptible to this SQL injection.

Recommendations Versions up to and including 26.0 should be updated to a version containing commit 994cc2b3d802b819e07e6088338e8bf4e484aae4, which includes a patch to address this issue. Replace direct interpolation with parameterized queries, using ? placeholders and passing the $clean title and (int)$id as bound parameters.