CVE-2026-34368: TOCTOU Race Condition in WWBN AVideo YPTWallet Plugin
Vulnerability ID: CVE-2026-34368
CVSS Score: 5.3
Published: 2026-03-30
WWBN AVideo versions up to and including 26.0 suffer from a Time-of-Check-Time-of-Use (TOCTOU) race condition in the YPTWallet plugin's transfer logic. This vulnerability allows authenticated users to bypass balance checks via concurrent requests, enabling unauthorized financial transfers. The flaw is compounded by a secondary vulnerability that permits captcha token reuse.
TL;DR
A race condition in the WWBN AVideo YPTWallet plugin allows authenticated attackers to double-spend funds by submitting concurrent transfer requests. The lack of database-level locking during the read-check-write cycle enables the exploitation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-362
- Attack Vector: Network
- CVSS Score: 5.3 (Medium)
- EPSS Score: 0.00026
- Impact: Integrity Violation (Double-Spending)
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo installations running version 26.0 or earlier with the YPTWallet plugin enabled.
-
AVideo: <= 26.0 (Fixed in:
> 26.0)
Code Analysis
Commit: 34132ad
Fix for concurrent execution and captcha reuse vulnerabilities in YPTWallet plugin.
Mitigation Strategies
- Update AVideo to a patched version greater than 26.0.
- Disable the YPTWallet plugin if immediate patching is not feasible.
Remediation Steps:
- Verify the current version of the AVideo installation.
- Backup the application database and file system.
- Deploy the latest release or apply commit 34132ad5159784bfc7ba0d7634bb5c79b769202d manually.
- Verify that wallet transfers correctly lock rows by testing concurrent API requests.
- Audit existing wallet balances for signs of previous exploitation.
References
Read the full report for CVE-2026-34368 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)