Main
Vulnerability Database
Exploits
ID:12564 - Exploit for SQL injection in AVideo - CVE-2026-28501
ID:12564 - Exploit for SQL injection in AVideo - CVE-2026-28501
Published: April 10, 2026
Vulnerability identifier: #VU125435
Vulnerability risk: High
CVE-ID: CVE-2026-28501
CWE-ID: CWE-89
Exploitation vector: Remote access
Vulnerable software:
AVideo
AVideo
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to sql injection in objects/videos.json.php and objects/video.php when processing the catName parameter from a JSON-formatted POST request body. A remote attacker can send a specially crafted JSON request to execute arbitrary SQL queries and disclose sensitive information.
JSON input is parsed and merged into $_REQUEST after global security checks are executed, allowing the payload to bypass the existing sanitization mechanisms.
Remediation
Install security update from vendor's website.