SQL Injection in Wwbn Avideo

CVE-2026-33767

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates…

Vulnerability class: SQL Injection

EPSS: 0.000 (7.6th percentile) — read the EPSS interpretation.

Affected products

Wwbn Avideo — versions <= 26.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc (x_refsource_CONFIRM)
https://github.com/WWBN/AVideo/commit/0215d3c4f1ee748b8880254967b51784b8ac4080 (x_refsource_MISC)