Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.

INFO

Published Date :

2026-03-27T18:12:18.760Z

Last Modified :

2026-03-27T18:12:18.760Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34368 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34368.

URL Resource
https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact