CVE-2026-56341
Received Received - Intake
Unauthenticated Data Exposure in AVideo Payment Plugins

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56341
EUVD
EUVD-2026-38130
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56341 is a vulnerability in AVideo versions up to 26.0 where multiple payment plugin endpoints named list.json.php lack proper authorization checks.

Because these endpoints do not verify if a user is authorized or an admin, unauthenticated attackers can access sensitive payment data.

This includes PayPal tokens, Authorize.Net webhook payloads, Bitcoin transaction records, agreement IDs, user financial records, and API responses.

Attackers can retrieve this data simply by sending direct GET requests to these vulnerable endpoints.

Impact Analysis

This vulnerability can lead to a significant confidentiality breach of sensitive financial and user data.

  • Exposure of PayPal tokens and Bitcoin transaction records.
  • Unauthorized access to Authorize.Net webhook payloads.
  • Disclosure of agreement IDs and user financial records.

Such exposure can result in financial fraud, identity theft, and loss of trust from users or customers.

Detection Guidance

This vulnerability can be detected by attempting unauthenticated GET requests to the vulnerable list.json.php endpoints in the payment plugins of AVideo versions up to 26.0. If these endpoints return sensitive payment transaction data without requiring authentication, the system is vulnerable.

You can use commands like curl to test these endpoints. For example:

  • curl -X GET http://<your-avideo-domain>/plugin/paymentPluginName/list.json.php
  • Replace <your-avideo-domain> with your server's domain and paymentPluginName with the specific payment plugin folder name.

If the response contains payment transaction data such as PayPal tokens, Authorize.Net webhook payloads, or Bitcoin transaction records without authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves restricting access to the vulnerable list.json.php endpoints by enforcing proper authorization checks.

Specifically, add authentication and authorization checks such as User::isAdmin() to all list.json.php endpoints in the payment plugins, similar to the controls already present in add.json.php and delete.json.php endpoints.

Additionally, consider temporarily disabling or restricting access to these endpoints at the web server or firewall level until a proper patch or update is applied.

Finally, update AVideo to a version later than 26.0 once a patch addressing this vulnerability is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart