SQL Injection Flaws Expose AVideo Data and Enable OpenSTAManager RCE
Two newly disclosed SQL injection vulnerabilities affect WWBN AVideo Live Schedule Reminder and the OpenSTAManager Aggiornamenti module, exposing organizations to severe database compromise. CVE-2026-33651 is a blind SQL injection issue in AVideo rated CVSS 8.1 that can let attackers exfiltrate the full database, including email addresses, personal information, and password hashes, while also modifying or deleting records through injected UPDATE or DELETE statements. Repeated time-based exploitation attempts could also degrade service performance by exhausting server connection pools.
CVE-2026-35168 affects OpenSTAManager and allows an authenticated attacker to execute arbitrary SQL with the privileges of the configured database user, undermining confidentiality, integrity, and availability. In MySQL or MariaDB deployments with broad database permissions, the flaw can enable schema changes, stored procedure tampering, and theft of sensitive financial data; where the database account has the FILE privilege, attackers can escalate from database access to remote code execution on the application server by writing arbitrary files to the host filesystem.
Timeline
Apr 3, 2026
CVE-2026-35168 SQL injection in OpenSTAManager is disclosed
An authenticated SQL injection vulnerability in the OpenSTAManager Aggiornamenti module is disclosed. The flaw could enable full database compromise and, in MySQL or MariaDB environments with FILE privilege, escalation to arbitrary file write and remote code execution on the application server.
Mar 25, 2026
CVE-2026-33651 blind SQL injection in AVideo is disclosed
A high-severity blind SQL injection vulnerability affecting WWBN AVideo Live Schedule Reminder is reported. The issue could allow database exfiltration, data modification or deletion, and potentially further compromise if administrative password hashes are cracked.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
AVideo Flaws Enable Unauthenticated Takeover and SSRF on Exposed Deployments
WWBN **AVideo** versions `25.0` and earlier were found to contain two high-severity vulnerabilities that can be exploited without authentication. `CVE-2026-33038` allows full application takeover on uninitialized deployments because the exposed `install/checkConfiguration.php` endpoint can accept unauthenticated `POST` data to complete setup, create an administrator account, configure the database, and write the application's configuration file. Systems that have not yet created `videos/configuration.php` are especially at risk, as an attacker can initialize the platform with attacker-controlled credentials and infrastructure, gaining full administrative access. A second flaw, `CVE-2026-33039`, affects the `plugin/LiveLinks/proxy.php` endpoint and enables **server-side request forgery (SSRF)** through an HTTP redirect bypass. AVideo validates only the initial user-supplied URL, but does not re-validate redirect targets fetched by the proxy logic, allowing attackers to reach internal resources such as **RFC1918** addresses and cloud metadata services. Both issues were addressed in **AVideo `26.0`**, with the takeover bug classified as `CWE-306` and the SSRF bug as `CWE-918`.
1 weeks ago
AVideo Flaws Enable Remote Code Execution via Command Injection and Malicious Plugin Upload
WWBN **AVideo** versions up to and including `26.0` are affected by two high-severity flaws that can lead to **remote code execution**. `CVE-2026-33482` is an OS command injection bug in `sanitizeFFmpegCommand()`, which strips some shell metacharacters but fails to remove bash command substitution using `$()`. Because the resulting `ffmpeg` command is later executed in a double-quoted `sh -c` context by `execAsync()`, an attacker able to craft a valid encrypted payload can run arbitrary commands on the standalone encoder server. A separate issue, `CVE-2026-33507`, allows unauthenticated code execution through the plugin import workflow. The `objects/pluginImport.json.php` endpoint permits admin users to upload and install plugin ZIP archives containing executable PHP, but lacks **CSRF** protection; with `session.cookie_samesite = 'None'` on HTTPS connections, an attacker can trick a logged-in administrator into silently importing a malicious plugin and deploying a PHP webshell. Fixes were introduced in commits `25c8ab90269e3a01fb4cf205b40a373487f022e1` and `d1bc1695edd9ad4468a48cea0df6cd943a2635f3`.
1 months ago
SSRF in Saloon PHP and Auth Model Leak in AVideo Expose Sensitive Data
Two newly disclosed vulnerabilities expose sensitive information in widely used web application components. **CVE-2026-33182** affects **Saloon PHP** and allows unauthenticated, network-based **server-side request forgery (SSRF)** that can leak API credentials and session tokens, potentially granting attackers access to integrated third-party services and enabling misuse of those external environments. The issue carries a **CVSS 4.0 score of 6.6** and is described as a high-confidentiality-impact flaw, with the host application's local database remaining intact even as connected systems may be exposed. A separate issue, **CVE-2026-33501**, affects the **WWBN AVideo Permissions Plugin** and discloses an application's internal authorization model by revealing mappings between user groups and specific plugins. Although rated lower at **CVSS v3.1 5.3** and not associated with credential or personally identifiable information exposure, the flaw provides valuable reconnaissance that can help attackers identify privileged roles, map the attack surface, and support follow-on privilege escalation attempts against vulnerable authenticated extensions.
1 months ago