DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33723: CVE-2026-33723: Authenticated SQL Injection in WWBN AVideo Subscription Logic

#security #cve #cybersecurity

CVE-2026-33723: Authenticated SQL Injection in WWBN AVideo Subscription Logic

Vulnerability ID: CVE-2026-33723
CVSS Score: 7.1
Published: 2026-03-25

WWBN AVideo versions up to and including 26.0 contain a critical SQL injection vulnerability in the subscription module. The application fails to properly sanitize or parameterize the user_id POST parameter before incorporating it into database queries within the Subscribe::save() method. This allows an authenticated attacker to execute arbitrary SQL commands, gaining unauthorized read access to the backend database.

TL;DR

Authenticated SQL Injection in WWBN AVideo's objects/subscribe.php via the user_id parameter, enabling arbitrary database querying and sensitive data exfiltration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89
  • Attack Vector: Network
  • Authentication: Required (Low Privilege)
  • CVSS v3.1 Score: 7.1
  • EPSS Score: 0.00019
  • CISA KEV: No

Affected Systems

  • WWBN AVideo (formerly YouPHPTube) <= 26.0
  • AVideo: <= 26.0 (Fixed in: Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c)

Code Analysis

Commit: 36dfae2

Refactor Subscribe::save() to use parameterized sqlDAL::writeSql queries and enforce type casting.

Mitigation Strategies

  • Upgrade WWBN AVideo to a version containing the patch (commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c).
  • Implement strict Web Application Firewall (WAF) rules to inspect POST payloads targeting /objects/subscribe.json.php.
  • Enforce least-privilege principles on the backend database account used by the application.

Remediation Steps:

  1. Review the current WWBN AVideo installation version.
  2. Pull the latest codebase updates from the official WWBN AVideo repository.
  3. Verify that objects/subscribe.php reflects the updated sqlDAL::writeSql parameterized implementation.
  4. Monitor application logs for historical SQL injection attempts targeting the subscription endpoints.

References

Read the full report for CVE-2026-33723 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)