SB20260408174 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-33770)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to sql injection in the fixCleanTitle() method in objects/category.php when processing category creation or renaming input. A remote user can submit a specially crafted category title or id value to disclose sensitive information.

The issue is reachable through category management functionality.

2) SQL injection (CVE-ID: CVE-2026-33767)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to sql injection in the getLike() method in objects/like.php when handling a crafted like or dislike request with a user-controlled videos_id parameter. A remote user can send a specially crafted request to disclose sensitive information.

The vulnerable query uses a placeholder for users_id but concatenates videos_id directly into the SQL statement.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf
• https://github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc