CVE-2026-34374
Wstrzyknięcie SQL w WWBN AVideo umożliwia zdalne wykonanie kodu przez nieprawidłowe przetwarzanie klucza strumienia.
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to `Live_schedule::keyExists()` undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the `live_schedule_id` parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.1 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-27 19:16:42 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-31 18:49:13 UTC |
- https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88 (security-advisories@github.com) [Exploit, Vendor Advisory]