Injection

Injection in Go (Gin) [CVE-2026-33651]

[Updated 2026-03] Updated CVE-2026-33651

Overview

CVE-2026-33651 describes a real-world SQL injection flaw in WWBN AVideo where tainted input is passed through multiple functions and ultimately concatenated into a SQL LIKE clause, enabling time-based blind SQL injection to exfiltrate data. Although the PHP-specific path was mitigated by a patch (commit 75d45780728294ededa1e3f842f95295d3e7d144), the underlying issue-unvalidated taint reaching an SQL accumulator-illustrates a class of injection flaws that can affect any language stack, including Go. This guide explains how such an issue manifests in Go (Gin) projects and how to remediate it to prevent attackers from exploiting similar patterns in Go services. The reference CVE-IDs and CWE-89 are included to align remediation with real-world advisories.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "database/sql"
  "log"
  "net/http"

  "github.com/gin-gonic/gin"
  _ "github.com/go-sql-driver/mysql"
)

var db *sql.DB

func main() {
  // Initialize DB (replace DSN with real credentials)
  var err error
  db, err = sql.Open("mysql", "user:password@tcp(127.0.0.1:3306)/dbname")
  if err != nil {
    log.Fatal(err)
  }
  defer db.Close()

  r := gin.Default()
  r.GET("/vuln", vulnerableSearch)
  r.GET("/fix", fixedSearch)
  if err := r.Run(":8080"); err != nil {
    log.Fatal(err)
  }
}

func vulnerableSearch(c *gin.Context) {
  q := c.Query("q")
  // Vulnerable: direct string concatenation leads to SQL injection
  query := "SELECT id, name FROM users WHERE name LIKE '%" + q + "%'"
  rows, err := db.Query(query)
  if err != nil {
    c.String(http.StatusInternalServerError, "error: %v", err)
    return
  }
  defer rows.Close()
  count := 0
  for rows.Next() {
    count++
  }
  c.JSON(200, gin.H{"count": count})
}

func fixedSearch(c *gin.Context) {
  q := c.Query("q")
  // Secure: parameterized query with bound parameter for LIKE
  query := "SELECT id, name FROM users WHERE name LIKE ?"
  rows, err := db.Query(query, "%"+q+"%")
  if err != nil {
    c.String(http.StatusInternalServerError, "error: %v", err)
    return
  }
  defer rows.Close()
  count := 0
  for rows.Next() {
    count++
  }
  c.JSON(200, gin.H{"count": count})
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.