{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33025", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.668Z", "datePublished": "2026-03-20T05:02:09.501Z", "dateUpdated": "2026-03-20T13:53:06.246Z"}, "containers": {"cna": {"title": "AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj"}, {"name": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124"}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"version": "< 8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:02:09.501Z"}, "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}], "source": {"advisory": "GHSA-5qvj-5h75-27pj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:52:58.726958Z", "id": "CVE-2026-33025", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:53:06.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:52:58.726958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:53:02.872Z"}}], "cna": {"title": "AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause", "source": {"advisory": "GHSA-5qvj-5h75-27pj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"status": "affected", "version": "< 8.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "name": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:02:09.501Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33025", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:53:06.246Z", "dateReserved": "2026-03-17T17:22:14.668Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T05:02:09.501Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo-encoder:*:*:*:*:*:*:*:*", "matchCriteriaId": "7838B812-EB07-43E4-B3F6-0887FB6CA33E", "versionEndExcluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}, {"lang": "es", "value": "AVideo es una plataforma para compartir videos. Las versiones anteriores a la 8.0 contienen una vulnerabilidad de inyecci\u00f3n SQL en el m\u00e9todo getSqlFromPost() de Object.php. Las claves del array $_POST['sort'] se utilizan directamente como identificadores de columna SQL dentro de una cl\u00e1usula ORDER BY. Aunque se aplic\u00f3 real_escape_string(), solo escapa caracteres de contexto de cadena (comillas, bytes nulos) y no proporciona protecci\u00f3n para los identificadores SQL \u2014 lo que la hace completamente ineficaz aqu\u00ed. Este problema se ha solucionado en la versi\u00f3n 8.0. Para solucionar este problema sin actualizar, los operadores pueden aplicar una regla de WAF para bloquear solicitudes POST donde cualquier clave sort[*] contenga caracteres fuera de [A-Za-z0-9_]. Alternativamente, restringir el acceso a la vista de cola (queue.json.php, index.php) solo a rangos de IP de confianza."}], "id": "CVE-2026-33025", "lastModified": "2026-03-24T16:32:11.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.877", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo-Encoder", "source": "cna", "vendor": "WWBN"}, "product": "avideo-encoder", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T17:30:04.193264+00:00", "value": {"mitigation_remediation": ["Upgrade to AVideo\u2011Encoder version 8.0 or newer.", "If an upgrade is not immediately possible, configure a web application firewall to reject POST requests where any sort[ ] key contains characters outside the set [A-Za-z0-9_].", "Limit access to the queue view and index page to trusted IP ranges to reduce exposure", "Regularly monitor access logs for anomalous sort parameters and respond to suspicious activity."], "summary": {"action": "Upgrade", "impact": "Authenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN\u2019s AVideo\u2011Encoder. Any installation running a version earlier than 8.0 of the platform is susceptible. No other vendor or product is listed; the vulnerability is tied solely to the AVideo code base prior to the 8.0 release.", "description_and_impact": "A video-sharing platform before version 8.0 is vulnerable to authenticated SQL injection. The getSqlFromPost() method uses $_POST['sort'] array keys directly as SQL column identifiers in an ORDER BY clause without proper validation. Although real_escape_string was applied, it only protects string contexts and does not escape identifiers, allowing an attacker with a valid session to inject arbitrary SQL code. This can lead to unauthorized data disclosure, modification, or elevation of privileges. The flaw maps to CWE\u201189, a classic SQL injection weakness.", "risk_and_exploitability": "The CVSS score is 8.6, indicating high severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not referenced in the CISA KEV catalog. Exploitation requires an authenticated user to craft a POST request targeting the sort parameter, which is then reflected in the ORDER BY clause, enabling arbitrary SQL commands. Because the attack vector is limited to authenticated sessions, the overall risk is mitigated by the need for valid credentials, but once obtained, the impact can be significant."}}}}, "created": "2026-03-20T08:52:32.937229+00:00", "updated": "2026-03-25T14:30:29.320060+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo-encoder"]}