CVE-2026-33767: AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

March 26, 2026 (updated March 27, 2026)

In objects/like.php, the getLike() method constructs a SQL query using a prepared statement placeholder (?) for users_id but directly concatenates $this->videos_id into the query string without parameterization. An attacker who can control the videos_id value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/0215d3c4f1ee748b8880254967b51784b8ac4080
github.com/WWBN/AVideo/security/advisories/GHSA-fj74-qxj7-r3vc
github.com/advisories/GHSA-fj74-qxj7-r3vc
nvd.nist.gov/vuln/detail/CVE-2026-33767

Code Behaviors & Features

Detect and mitigate CVE-2026-33767 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →