CVE-2026-34368

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The transferBalance() method within the plugin/YPTWallet/YPTWallet.php file contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks for sufficient funds using PHP, and then writes the new balance without utilizing database transactions or row-level locking. An attacker with multiple authenticated sessions can concurrently send transfer requests, each reading the same initial balance. These requests independently pass the balance check, leading to a scenario where the sender's balance is deducted only once, while the recipient receives funds multiple times. The vulnerable function is transferBalance().

Recommendations Versions up to and including 26.0 should be updated to a version containing commit 34132ad5159784bfc7ba0d7634bb5c79b769202d, which addresses the issue.