CVE-2026-39366

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo platform, an open source video platform, has an issue in the PayPal IPN v1 handler located at 'plugin/PayPalYPT/ipn.php'. This handler does not properly deduplicate transactions, which could allow an attacker to replay a legitimate IPN notification multiple times. This replay could lead to an attacker inflating their wallet balance and renewing subscriptions repeatedly. The newer 'ipnV2.php' and 'webhook.php' handlers correctly deduplicate transactions using PayPalYPT log entries, but the vulnerable v1 handler remains in use as the notify url for billing plans.

Recommendations Update AVideo to a version later than 26.0.