WWBN AVideo is an open source video platform. In versions up to and including 26.0, the "Live_schedule::keyExists()" method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from "LiveTransmition::keyExists()" when the initial parameterized lookup returns no results. Although the calling function correctly uses parameterized queries for its own lookup, the fallback path to "Live_schedule::keyExists()" undoes this protection entirely. This vulnerability is distinct from GHSA-pvw4-p2jm-chjm, which covers SQL injection via the "live_schedule_id" parameter in the reminder function. This finding targets the stream key lookup path used during RTMP publish authentication. As of time of publication, no patched versions are available.