Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch.

INFO

Published Date :

2026-03-23T14:14:15.477Z

Last Modified :

2026-03-25T14:17:20.198Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33485 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33485.

URL Resource
https://github.com/WWBN/AVideo/commit/af59eade82de645b20183cc3d74467a7eac76549 cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact