Time-of-Check-Time-of-Use Race Condition in WWBN AVideo
CVE-2026-34368

5.3MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-34368?

The vulnerability in WWBN AVideo arises from a TOCTOU race condition found in the transferBalance() method within the YPTWallet plugin. This flaw allows an attacker with multiple authenticated sessions to execute concurrent transfer requests that all reference the same outdated balance. Due to the lack of database transactions or row-level locking, each request, upon passing the balance check, can result in a single deduction being enforced while multiple credits are incorrectly applied to the recipient's wallet. This exploit can lead to financial discrepancies and unauthorized fund transfers. A fix has been implemented in commit 34132ad5159784bfc7ba0d7634bb5c79b769202d.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-h...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/34132ad5159784bfc7b...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34368 Data

JSON

Wwbn

What is CVE-2026-34368?

Affected Version(s)

References

CVSS V3.1

Timeline