#VU125483 Race condition in AVideo - CVE-2026-34368
Published: April 8, 2026
Vulnerability identifier: #VU125483
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34368
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote user to create wallet balance from nothing.
The vulnerability exists due to a race condition in the transferBalance() method in plugin/YPTWallet/YPTWallet.php when handling concurrent transfer requests. A remote user can send concurrent transfer requests from multiple authenticated sessions to create wallet balance from nothing.
The issue requires multiple authenticated sessions for the same account, and captcha validation can be reused within each session.
Remediation
Install security update from vendor's website.