Unauthenticated Access Vulnerability in AVideo Payment Plugin
CVE-2026-56341

8.7HIGH

Key Information:

Vendor

Avideo

Status
Avideo
Vendor
CVE Published:
20 June 2026

What is CVE-2026-56341?

AVideo, up to version 26.0, has a vulnerability involving multiple list.json.php endpoints within its payment plugins that lack proper authorization checks. This flaw allows unauthenticated attackers to access critical payment transaction data by sending direct GET requests to these endpoints. The exposed information includes sensitive financial records, PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction details, putting user privacy and financial security at significant risk.

Affected Version(s)

AVideo 0 <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-w...
vendor-advisory
https://www.vulncheck.com/advisories/avideo-unauthenticat...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

offset
.