Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202dPatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qrExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qrExploitVendor Advisory
FAQ
What is CVE-2026-34368?
CVE-2026-34368 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) rac...
How severe is CVE-2026-34368?
CVE-2026-34368 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34368?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.