CVE-2026-34368

Exploit

EPSS 0.03%
Veröffentlicht 27.03.2026 18:16:05
Zuletzt bearbeitet 31.03.2026 16:25:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wwbn ≫ Avideo Version <= 26.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.087

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d

Patch

https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-34368

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34368

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34368

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34368