CVE-2026-56341
Deferred Deferred - Pending Action

Unauthenticated Data Exposure in AVideo Payment Plugins

Vulnerability report for CVE-2026-56341, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56341 is a vulnerability in AVideo versions up to 26.0 where multiple payment plugin endpoints named list.json.php lack proper authorization checks.

Because these endpoints do not verify if a user is authorized or an admin, unauthenticated attackers can access sensitive payment data.

This includes PayPal tokens, Authorize.Net webhook payloads, Bitcoin transaction records, agreement IDs, user financial records, and API responses.

Attackers can retrieve this data simply by sending direct GET requests to these vulnerable endpoints.

Impact Analysis

This vulnerability can lead to a significant confidentiality breach of sensitive financial and user data.

  • Exposure of PayPal tokens and Bitcoin transaction records.
  • Unauthorized access to Authorize.Net webhook payloads.
  • Disclosure of agreement IDs and user financial records.

Such exposure can result in financial fraud, identity theft, and loss of trust from users or customers.

Detection Guidance

This vulnerability can be detected by attempting unauthenticated GET requests to the vulnerable list.json.php endpoints in the payment plugins of AVideo versions up to 26.0. If these endpoints return sensitive payment transaction data without requiring authentication, the system is vulnerable.

You can use commands like curl to test these endpoints. For example:

  • curl -X GET http://<your-avideo-domain>/plugin/paymentPluginName/list.json.php
  • Replace <your-avideo-domain> with your server's domain and paymentPluginName with the specific payment plugin folder name.

If the response contains payment transaction data such as PayPal tokens, Authorize.Net webhook payloads, or Bitcoin transaction records without authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves restricting access to the vulnerable list.json.php endpoints by enforcing proper authorization checks.

Specifically, add authentication and authorization checks such as User::isAdmin() to all list.json.php endpoints in the payment plugins, similar to the controls already present in add.json.php and delete.json.php endpoints.

Additionally, consider temporarily disabling or restricting access to these endpoints at the web server or firewall level until a proper patch or update is applied.

Finally, update AVideo to a version later than 26.0 once a patch addressing this vulnerability is released.

Compliance Impact

This vulnerability exposes sensitive payment transaction data, including PayPal tokens, Authorize.Net webhooks, Bitcoin transaction records, agreement IDs, user financial records, and API responses to unauthenticated attackers.

Such unauthorized disclosure of personal and financial data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personally identifiable information (PII) and financial data.

The lack of authorization checks on these endpoints means that confidential user and payment information can be accessed without consent, potentially violating confidentiality and data protection requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart