{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34374", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-03-27T18:16:22.155Z", "dateUpdated": "2026-03-27T19:33:12.013Z"}, "containers": {"cna": {"title": "AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:16:22.155Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available."}], "source": {"advisory": "GHSA-xgv5-66wp-ch88", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:33:00.474837Z", "id": "CVE-2026-34374", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:33:12.013Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available."}], "id": "CVE-2026-34374", "lastModified": "2026-03-27T19:16:42.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T19:16:42.930", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:22:40.469670+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version beyond 26.0 when it becomes available", "Restrict RTMP publishing to trusted IP addresses or networks", "Implement firewall rules to block unsolicited RTMP connections", "Enable logging for failed login attempts and monitor for anomalous SQL injection patterns", "Apply general web application security best practices, such as sanitizing all user inputs and using parameterized queries in all database interactions"], "summary": {"action": "Patch Now", "impact": "Database Compromise via Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, an open source video platform. All releases up to and including version 26.0 are vulnerable. No patched version is currently available; vendors have not released an update at the time of this advisory.", "description_and_impact": "The flaw resides in the Live_schedule::keyExists() function, which concatenates a stream key directly into an SQL query without using parameterized statements. This bypass occurs during RTMP publish authentication, allowing an attacker to supply a specially crafted stream key that injects arbitrary SQL. Successful exploitation could give the attacker read and write access to the database, permitting data exfiltration, tampering with user accounts, or altering system configuration. The vulnerability is classified as CWE-89, indicating a classic SQL injection weakness.", "risk_and_exploitability": "The CVSS score is 9.1, representing high severity. EPSS data is unavailable and the issue is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. It is inferred that the attack vector involves an RTMP publisher sending a malicious stream key during authentication. Because the injection opportunity exists on a public-facing broadcast endpoint, attackers with any RTMP client capability could potentially exploit the flaw, provided they know a valid broadcast URL."}}}}, "created": "2026-03-27T20:27:48.706100+00:00", "updated": "2026-03-27T20:27:48.706128+00:00", "vendors": []}