SB20260408174 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-33770)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to sql injection in the fixCleanTitle() method in objects/category.php when processing category creation or renaming input. A remote user can submit a specially crafted category title or id value to disclose sensitive information.

The issue is reachable through category management functionality.

2) SQL injection (CVE-ID: CVE-2026-33767)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to sql injection in the getLike() method in objects/like.php when handling a crafted like or dislike request with a user-controlled videos_id parameter. A remote user can send a specially crafted request to disclose sensitive information.

The vulnerable query uses a placeholder for users_id but concatenates videos_id directly into the SQL statement.

3) Path traversal (CVE-ID: CVE-2026-33293)

The vulnerability allows a remote user to delete arbitrary files and cause a denial of service.

The vulnerability exists due to path traversal in the deleteDump parameter in plugin/CloneSite/cloneServer.json.php when handling crafted delete requests. A remote user can send a specially crafted request containing directory traversal sequences to delete arbitrary files and cause a denial of service.

Exploitation requires valid clone credentials consisting of an approved URL and matching key.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-584p-rpvq-35vf
• https://github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc
• https://github.com/WWBN/AVideo/security/advisories/GHSA-xmjm-86qv-g226