CVE-2026-33485 AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations —...

CVE-2026-33485 AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations —...

CVE-2026-33485

CVE-2026-33485 affects WWBN/AVideo up to version 26.0, where the RTMP on_publish.php endpoint is reachable without authentication. The attack relies on the stream key in $_POST['name'], which is interpolated directly into SQL in two places: LiveTransmitionHistory::getLatest() and LiveTransmition:...

AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

Summary The RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest and LiveTransmition::keyExists — without parameterized binding...