SQL Injection in Wwbn Avideo-encoder

CVE-2026-33025

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clau…

Vulnerability class: SQL Injection

EPSS: 0.000 (4.2th percentile) — read the EPSS interpretation.

Affected products

Wwbn Avideo-encoder — versions < 8.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/WWBN/AVideo-Encoder/security/advisories/GHSA-5qvj-5h75-27pj (x_refsource_CONFIRM)
https://github.com/WWBN/AVideo-Encoder/commit/d1c8a17ac88b5e27da9dfb7a230bbaf54aa53124 (x_refsource_MISC)