Critical Vulnerabilities in AVideo: From SQL Injection to Remote Code Execution
Ddos 
Security researchers have identified two severe vulnerabilities in AVideo, a popular open-source video streaming platform used by content creators and businesses to host and monetize media. These flaws, if exploited, could allow attackers to steal sensitive database records or gain complete control over the host server.
The most critical of the two, tracked as CVE-2026-28501, is an unauthenticated SQL Injection vulnerability with a CVSS score of 9.8.
The flaw exists within the platform’s handling of JSON-formatted POST requests. Specifically, the application fails to sanitize the catName parameter when it is processed by the objects/videos.json.php and objects/video.php components. Because this input is merged into the system’s global request variables after initial security checks are performed, the malicious payload effectively bypasses the platform’s sanitization mechanisms.
Potential Impact:
- Database Exfiltration: Attackers can execute arbitrary SQL queries to dump the entire database.
- Identity Theft: Sensitive records, including administrator usernames, session identifiers, and password hashes, can be extracted.
- Privilege Escalation: By cracking stolen password hashes offline, an attacker could gain legitimate administrative access to the platform.
The second flaw, CVE-2026-28502, is an authenticated Remote Code Execution (RCE) vulnerability related to the platform’s plugin upload functionality.
While this attack requires administrator-level credentials, it allows for a total system compromise. The root cause is a lack of strict file validation; the system only checks if an uploaded plugin is a ZIP file but does not inspect the contents of that archive. An attacker can upload a specially crafted ZIP containing malicious PHP scripts, which are then extracted directly into a web-accessible directory.
Potential Impact:
- Full System Compromise: Execution of arbitrary PHP code leads to total loss of confidentiality, integrity, and availability.
- Persistence: Once RCE is achieved, attackers can install permanent backdoors on the server.
AVideo has moved quickly to address these threats in its latest release. All users are urged to upgrade immediately to AVideo version 23 or later, which introduces hardened validation for both JSON requests and plugin extractions.
If an immediate upgrade is not possible, administrators should apply these workarounds:
- Disable Plugin Imports: Turn off the plugin upload/import functionality to block the RCE vector.
- Server Hardening: Configure your web server to explicitly prevent the execution of PHP files within the plugin upload directories.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
