CVE-2026-28501
Vulnerability data via CVEDB (Shodan)
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-28501product:"Wwbn Avideo"http.html:"Avideo"More intel sources (5)
vuln:CVE-2026-28501vulnerabilities.cve_id: CVE-2026-28501CVE-2026-28501CVE-2026-28501"CVE-2026-28501" exploit -site:nvd.nist.gov