CVE-2026-28501 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 9, 2026
WWBN AVideo - SQL Injection
Overview
WWBN AVideo < 24.0 contains an SQL injection caused by improper sanitization of the catName parameter in objects/videos.json.php and objects/video.php, letting unauthenticated attackers execute arbitrary SQL queries via JSON POST requests.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary SQL queries, potentially leading to data disclosure or modification.
Mitigation
Upgrade to version 24.0 or later.
References
Social Media Activity(3 posts)
š“ CVE-2026-28501 - Critical (9.8) WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize th... š https://www.thehackerwire.com/vulnerability/CVE-2026-28501/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-28501 - Critical (9.8) WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize th... š https://www.thehackerwire.com/vulnerability/CVE-2026-28501/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-28501: CRITICAL SQL Injection in WWBN AVideo < 24.0! Unauthenticated attackers can run arbitrary SQL via JSON POST (catName param). Upgrade to v24.0+ ASAP! Details: https://radar.offseq.com/threat/cve-2026-28501-cwe-89-improper-neutralization-of-s-36e0dbd6 #OffSeq #Infosec #SQLInjection #AVideo
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28501
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- sql_injection
- Status
- unconfirmed
- EPSS
- 2.9%
- Social Posts
- 3
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H