CVE-2026-28501: AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
(updated )
An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components.
The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms.
This allows an unauthenticated attacker to:
- Execute arbitrary SQL queries
- Perform full database exfiltration
- Extract sensitive data including administrator usernames, password hashes, session identifiers and user records
- Potentially escalate privileges by cracking password hashes offline
- Chain with authenticated vulnerabilities to achieve full system compromise
This vulnerability is classified as:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
References
Code Behaviors & Features
Detect and mitigate CVE-2026-28501 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →