CVE-2026-28501
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
Description
## Impact An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This allows an unauthenticated attacker to: - Execute arbitrary SQL queries - Perform full database exfiltration - Extract sensitive data including administrator usernames, password hashes, session identifiers and user records - Potentially escalate privileges by cracking password hashes offline - Chain with authenticated vulnerabilities to achieve full system compromise This vulnerability is classified as: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) ## Patches This vulnerability has been fixed in version 23. Users must upgrade to version 23 or later. ## Workarounds There is no reliable workaround. The only recommended mitigation is to upgrade immediately to version 23 upon its release. ## References Internal security report.
How to fix CVE-2026-28501
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-28501 being exploited?
Moderate — EPSS is 25.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, <= 21.0.0