Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized reallocation of wallet funds (double spending)
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the transferBalance function of the AVideo platform’s YPTWallet plugin, where a Time‑of‑Check‑Time‑of‑Use race condition allows a user with multiple authenticated sessions to initiate simultaneous transfers. Each transfer reads the sender’s balance, verifies sufficient funds, and then writes the new balance without any locking mechanism. Because all concurrent requests read the same original balance, the balance check passes for each and only one deduction actually occurs, while the recipient receives the full amount multiple times. This can lead to the sender’s wallet being drained and the recipient gaining funds in excess, effectively causing a double‑spend scenario.

Affected Systems

All installations of the WWBN AVideo platform running version 26.0 or earlier are affected. The issue is present in the YPTWallet plugin’s transferBalance method within those releases. Upgrading to a later version that includes the patch (commit 34132ad5159784bfc7ba0d7634bb5c79b769202d or a release built from it) removes the race condition.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The attack requires an attacker to be authenticated within the affected AVideo installation and to coordinate multiple concurrent transfer requests, which is feasible but not trivial. The vulnerability is not listed in the CISA KEV catalog, so no undisclosed exploitation is known. As the weakness is a TOCTOU race condition (CWE‑362), the primary vector is through network requests that trigger the transferBalance function.

Generated by OpenCVE AI on March 31, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to a version that includes the commit 34132ad5159784bfc7ba0d7634bb5c79b769202d or newer.
  • If an immediate update is not possible, restrict concurrent usage of the transferBalance API by implementing rate limiting or session serialization to prevent simultaneous requests from the same user.

Generated by OpenCVE AI on March 31, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h54m-c522-h6qr AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
History

Tue, 31 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.
Title AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T19:03:46.321Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34368

cve-icon Vulnrichment

Updated: 2026-03-30T19:03:37.210Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T18:16:05.723

Modified: 2026-03-31T16:25:04.990

Link: CVE-2026-34368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:54Z

Weaknesses