CVE-2026-34737 in AVideoinfo

Zusammenfassung (Englisch)

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Zuständig

GitHub_M

Reservieren

30.03.2026

Veröffentlichung

01.04.2026

Status

Bestätigt

Einträge

VulDB provides additional information and datapoints for this CVE:

ID	Schwachstelle	CWE	Aus	Mas	CVE
354543	WWBN AVideo Endpoint test.php retrieveSubscriptions erweiterte Rechte	862	Nicht definiert	Nicht definiert	CVE-2026-34737

Beschreibung

CPE

CWE

CVSS

Exploits

History

Diff

Verknüpfen

Threat Intelligence

API JSON

API XML

API CSV

Quellen

◂ ZurückÜbersichtWeiter ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!