CVE-2026-33651: Blind SQL Injection in WWBN AVideo Live Schedule Reminder
Vulnerability ID: CVE-2026-33651
CVSS Score: 8.1
Published: 2026-03-25
WWBN AVideo versions up to and including 26.0 contain a critical time-based blind SQL injection vulnerability in the remindMe.json.php endpoint. An authenticated attacker can supply a crafted live_schedule_id parameter to execute arbitrary database queries, leading to full database compromise.
TL;DR
Authenticated attackers can exploit a blind SQL injection flaw in AVideo <= 26.0 via the live_schedule_id parameter to extract sensitive database contents using time-based inference.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89
- Attack Vector: Network
- CVSS v3.1 Score: 8.1 (High)
- Exploit Status: Proof-of-Concept Available
- Authentication: Required (Low Privileges)
- EPSS Percentile: 6.98%
- KEV Status: Not Listed
- Remediation: Update to >= 26.1
Affected Systems
- WWBN AVideo <= 26.0
-
AVideo: <= 26.0 (Fixed in:
26.1)
Code Analysis
Commit: 75d4578
Fix for blind SQL injection in remindMe.json.php via live_schedule_id
Mitigation Strategies
- Upgrade WWBN AVideo software to a non-vulnerable version (>= 26.1)
- Deploy Web Application Firewall (WAF) rules targeting time-based SQL injection payloads on the affected endpoint
- Enforce parameterized queries across all database access abstractions
Remediation Steps:
- Verify the current running version of WWBN AVideo
- Backup the application database and configuration files
- Download and install AVideo version 26.1 or apply commit 75d45780728294ededa1e3f842f95295d3e7d144 manually
- Verify that requests to remindMe.json.php containing SQL payloads result in safe rejection or strict integer parsing
References
- NVD Record for CVE-2026-33651
- GitHub Advisory: GHSA-pvw4-p2jm-chjm
- Fix Commit 75d45780728294ededa1e3f842f95295d3e7d144
- Technical Write-up by Marlon Ribunal
Read the full report for CVE-2026-33651 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)