CVE-2026-34737

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description AVideo is an open source video platform. A debug endpoint, test.php, within the StripeYPT plugin is accessible to all logged-in users, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. A flaw in the retrieveSubscriptions() method causes subscriptions to be cancelled instead of retrieved. This allows any authenticated user to cancel arbitrary Stripe subscriptions by providing a subscription ID.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.