CVE-2026-33485: AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

March 20, 2026

The RTMP on_publish callback at plugin/Live/on_publish.php is accessible without authentication. The $_POST['name'] parameter (stream key) is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest() and LiveTransmition::keyExists() — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-8p58-35c3-ccxx
github.com/advisories/GHSA-8p58-35c3-ccxx
nvd.nist.gov/vuln/detail/CVE-2026-33485

Code Behaviors & Features

Detect and mitigate CVE-2026-33485 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →