Race condition in AVideo - CVE-2026-34368
Published: April 8, 2026
Vulnerability identifier: #VU125483
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34368
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to create wallet balance from nothing.
The vulnerability exists due to a race condition in the transferBalance() method in plugin/YPTWallet/YPTWallet.php when handling concurrent transfer requests. A remote user can send concurrent transfer requests from multiple authenticated sessions to create wallet balance from nothing.
The issue requires multiple authenticated sessions for the same account, and captcha validation can be reused within each session.
How to mitigate CVE-2026-34368
Install security update from vendor's website.