CVE-2026-33352 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in WWBN AVideo. 💥 **Consequences**: Attackers can manipulate database queries via the `doNotShowCats` parameter. This leads to potential data theft, modification, or system compromise.

🛡️ **Root Cause**: CWE-89 (SQL Injection). 🐛 **Flaw**: The `getAllCategories` method in `objects/category.php` fails to validate input. It only strips single quotes, which is easily bypassed by attackers.

👥 **Affected**: WWBN AVideo platform. 📦 **Versions**: All versions **before 26.0**. 🏷️ **Component**: `objects/category.php` file.

💀 **Capabilities**: Full database access. 📊 **Impact**: High Confidentiality, Integrity, and Availability impact (CVSS H). Hackers can read, alter, or delete sensitive video platform data.

🔓 **Threshold**: Low. 🌐 **Auth**: None required (PR:N). 🎯 **Complexity**: Low (AC:L). Remote attackers can exploit this without authentication or user interaction.

📜 **Public Exp**: No specific PoC code provided in data. 🔗 **Reference**: Official GitHub Advisory (GHSA-mcj5-6qr4-95fj) confirms the flaw. Wild exploitation is likely due to low complexity.

🔍 **Check**: Scan for WWBN AVideo instances. 🧪 **Test**: Target the `doNotShowCats` parameter in `objects/category.php`. Look for SQL error responses or time delays indicating injection success.

✅ **Fixed**: Yes. 📅 **Patch**: Released in version **26.0**. 🔗 **Commit**: See GitHub commit `206d38e97b8c854771bb2907b13f9f36e8bcf874` for the fix details.

🚧 **Workaround**: If unpatched, restrict network access to the `objects/category.php` endpoint. 🛑 **Mitigation**: Implement strict input validation and use prepared statements instead of simple quote stripping.

🔥 **Urgency**: Critical. 🚀 **Priority**: Patch immediately. With CVSS High severity and no auth required, this is a high-risk vulnerability for any unpatched AVideo deployment.