Description
AVideo <= 22.0 is vulnerable to unauthenticated SQL injection via the catName parameter in objects/videos.json.php (CVE-2026-28501).
The security filter in security.php sanitizes GET/POST parameters but does not cover JSON request bodies. Since videos.json.php parses JSON input and merges it into $_REQUEST after the filter runs, a catName value sent as JSON bypasses sanitization entirely and reaches getCatSQL() unsanitized.
This module uses time-based blind injection with BENCHMARK() to dump usernames and password hashes. SLEEP() is blocked by the sqlDAL prepared statement layer, but BENCHMARK(N*(condition), SHA1(x)) works because the condition is evaluated as a multiplier on the iteration count, avoiding the subquery restrictions imposed by prepare().
Fixed in 24.0 (no 23.0 release exists).
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/gather/avideo_catname_sqlimsf undefined(avideo_catname_sqli) > show actions ...actions...msf undefined(avideo_catname_sqli) > set ACTION < action-name >msf undefined(avideo_catname_sqli) > show options ...show and set options...msf undefined(avideo_catname_sqli) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub