{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33025", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.668Z", "datePublished": "2026-03-20T05:02:09.501Z", "dateUpdated": "2026-03-20T13:53:06.246Z"}, "containers": {"cna": {"title": "AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj"}, {"name": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124"}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"version": "< 8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:02:09.501Z"}, "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}], "source": {"advisory": "GHSA-5qvj-5h75-27pj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:52:58.726958Z", "id": "CVE-2026-33025", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:53:06.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:52:58.726958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:53:02.872Z"}}], "cna": {"title": "AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause", "source": {"advisory": "GHSA-5qvj-5h75-27pj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo-Encoder", "versions": [{"status": "affected", "version": "< 8.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "name": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "name": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:02:09.501Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33025", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:53:06.246Z", "dateReserved": "2026-03-17T17:22:14.668Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T05:02:09.501Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and provides no protection for SQL identifiers \u2014 making it entirely ineffective here. This issue has been fixed in version 8.0. To workaround this issue without upgrading, operators can apply a WAF rule to block POST requests where any sort[*] key contains characters outside [A-Za-z0-9_]. Alternatively, restrict access to the queue view (queue.json.php, index.php) to trusted IP ranges only."}], "id": "CVE-2026-33025", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.877", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo-Encoder", "source": "cna", "vendor": "WWBN"}, "product": "avideo-encoder", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T06:22:44.724567+00:00", "value": {"mitigation_remediation": ["Apply the latest patch or upgrade to AVideo-Encoder version 8.0 or later", "Configure a WAF rule to block POST requests where any sort key contains characters outside [A-Za-z0-9_]", "Restrict access to queue view (queue.json.php, index.php) to trusted IP ranges only"], "summary": {"action": "Upgrade", "impact": "Authenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected vendors and products include WWBN:AVideo-Encoder. According to the data, all releases prior to version 8.0 contain the vulnerability; version 8.0 and later contain the fix. No other affected versions are listed.", "description_and_impact": "The weakness in AVideo-Encoder is an authenticated SQL injection in the getSqlFromPost() method of Object.php, where POST data in the 'sort' array is used directly as column identifiers in an ORDER BY clause. Key detail from vendor description: the use of real_escape_string() provides protection only for string contexts, not for SQL identifiers, rendering the sanitization ineffective. This flaw enables an attacker with valid credentials to manipulate SQL queries and potentially read, modify, or delete arbitrary data, impacting confidentiality, integrity, and availability. The issue is classified as CWE-89.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity. Although EPSS is not available and the vulnerability is not listed in the KEV catalog, the nature of a web-based SQL injection that requires only authenticated access and a POST request makes exploitation likely in a realistic scenario. Likely attack vector is through the web interface where authenticated users submit sort parameters to queue or queue.json views. If exploited, an attacker could gain full data exposure or in some configurations elevation of privilege. The vulnerability can be exploited with minimal setup: a user with login access to the affected pages can submit crafted POST data. Monitoring for abnormal sort input or implementing the vendor\u2019s patch is advised to reduce risk."}}}}, "created": "2026-03-20T08:52:32.937229+00:00", "updated": "2026-03-20T10:37:14.598758+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo-encoder"]}