Home / Vulnerability Intelligence / CVE-2026-33651

CVE-2026-33651 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 23, 2026

WWBN AVideo - SQL Injection

Published: March 23, 2026Updated: March 23, 2026Remote Exploitable

Overview

WWBN AVideo <= 26.0 contains a SQL injection caused by unsanitized 'live_schedule_id' parameter concatenated into a SQL LIKE clause in Scheduler_commands::getAllActiveOrToRepeat, letting authenticated users perform time-based blind SQL injection to extract database contents, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated attackers can extract arbitrary database contents via time-based blind SQL injection.

Mitigation

Update to a version including commit 75d45780728294ededa1e3f842f95295d3e7d144 or later.

References

https://github.com/WWBN/AVideo/commit/75d45780728294ededa1e3f842f95295d3e7d144
https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33651
Severity: High
CVSS Score: 8.1
Type: sql_injection
Status: new

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N