Lucene search
K

3 matches found

Cvelist
Cvelist
added 2026/03/27 4:12 p.m.25 views

CVE-2026-33767 AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in objects/like.php, the getLike method constructs a SQL query using a prepared statement placeholder ? for usersid but directly concatenates $this-videosid into the query string without parameterization. An...

7.1CVSS0.00509EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/27 4:12 p.m.3 views

CVE-2026-33767 AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in objects/like.php, the getLike method constructs a SQL query using a prepared statement placeholder ? for usersid but directly concatenates $this-videosid into the query string without parameterization. An...

7.1CVSS6AI score0.00509EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/26 6:12 p.m.7 views

AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

Summary In objects/like.php, the getLike method constructs a SQL query using a prepared statement placeholder ? for usersid but directly concatenates $this-videosid into the query string without parameterization. An attacker who can control the videosid value via a crafted request can inject...

8.8CVSS6AI score0.00509EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder