CVE-2026-33651 - Vulnerability Analysis

Overview

WWBN AVideo <= 26.0 contains a SQL injection caused by unsanitized 'live_schedule_id' parameter concatenated into a SQL LIKE clause in Scheduler_commands::getAllActiveOrToRepeat, letting authenticated users perform time-based blind SQL injection to extract database contents, exploit requires authentication.

Severity & Score

Impact

Authenticated attackers can extract arbitrary database contents via time-based blind SQL injection.

Mitigation

Update to a version including commit 75d45780728294ededa1e3f842f95295d3e7d144 or later.

References

• https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144
• https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 23, 2026

🟠 CVE-2026-33651 - High (8.1) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAl... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33651/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner