CVE-2026-33723

WWBN AVideo vulnerable to SQL Injection in Subscribe endpoint (Subscribe::save). In versions up to 26.0, Subscribe::save() builds an INSERT query by directly concatenating $this->users_id (derived from $_POST['user_id'] in subscribe.json.php and subscribeNotify.json.php) without sanitization o...