{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34368", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-03-27T18:12:18.760Z", "dateUpdated": "2026-03-27T18:12:18.760Z"}, "containers": {"cna": {"title": "AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr"}, {"name": "https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:12:18.760Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance \u2014 all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix."}], "source": {"advisory": "GHSA-h54m-c522-h6qr", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance \u2014 all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix."}], "id": "CVE-2026-34368", "lastModified": "2026-03-27T18:16:05.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T18:16:05.723", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7ba0d7634bb5c79b769202d"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:35:37.513985+00:00", "value": {"mitigation_remediation": ["Apply the fix from commit 34132ad5159784bfc7ba0d7634bb5c79b769202d, which adds proper transaction handling or locking within the transferBalance method.", "Upgrade AVideo to the latest released version that includes the patched plugin.", "If an immediate upgrade is not possible, restrict concurrent balance transfer operations by implementing application\u2011level locking or disabling simultaneous transfers for the same user.", "Verify that wallet operations are now protected by database transactions or row\u2011level locks to prevent further race conditions."], "summary": {"action": "Patch Now", "impact": "Double spend and unauthorized balance manipulation in user wallets"}, "threat_synthesis": {"affected_systems": "Affected products are WWBN AVideo versions 26.0 and earlier, specifically the YPTWallet plugin's transferBalance function. All deployments of this open source video platform before the referenced commit lack transaction protection or row\u2011level locking.", "description_and_impact": "The vulnerability is a time\u2011of\u2011check time\u2011of\u2011use race condition in the transferBalance method of the YPTWallet plugin. An attacker running multiple authenticated sessions can trigger simultaneous transfer requests. Each request reads the sender's wallet balance before the balance is actually deducted, ensuring that all balance checks succeed. The deduction is applied only once, while the recipient receives the full amount for each request, effectively creating a double\u2011spend. This leads to unauthorized financial loss for the sender and possible over\u2011crediting for the recipient.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and no EPSS score is available, making it unclear how frequently attackers target this flaw. The issue is not listed in the CISA KEV catalog, suggesting no publicly known exploitation. The likely attack vector requires an attacker to be authenticated and to manage multiple sessions or parallel requests against the same account, which can be achieved through standard web interactions. Because the vulnerability depends on race timing and concurrent access, it is less likely to be easily exploited but still poses a financial risk if used by a determined adversary."}}}}, "created": "2026-03-27T20:27:51.432587+00:00", "updated": "2026-03-27T20:27:51.432618+00:00", "vendors": []}