{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T02:11:27.522","vulnerabilities":[{"cve":{"id":"CVE-2026-33352","sourceIdentifier":"security-advisories@github.com","published":"2026-03-23T14:16:33.580","lastModified":"2026-03-23T15:56:03.963","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, existe una vulnerabilidad de inyección SQL no autenticada en objects/category.php, en el método getAllCategories(). El parámetro de solicitud doNotShowCats se sanea solo eliminando caracteres de comilla simple (str_replace(''', '', ...)), pero esto se elude trivialmente utilizando una técnica de escape con barra invertida para desplazar los límites de la cadena SQL. El parámetro no está cubierto por ninguno de los filtros de entrada globales de la aplicación en objects/security.php. La versión 26.0 contiene un parche para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndExcluding":"26.0","matchCriteriaId":"B468F0CE-E5E7-4607-BD15-B5763C47493E"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}