CVE-2026-34395
published 2026-03-31CVE-2026-34395: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.32%
23.3th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
ghsa·2026-03-31
CVE-2026-34395 [MEDIUM] CWE-862 AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
**Severity:** High
**CWE:** CWE-862 (Missing Authorization)
### Summary
The `plugin/YPTWallet/view/users.json.php` endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks `User::isLogged()` but does not check `User::isAdmin()`, so any registered user can dump the full user database.
### Details
The authorization check at `plugin/YPTWallet/view/users.json.php:8`:
```php
if (!User::isLogged()) {
die("Is not logged");
}
```
The query in `YPTWallet::getAllUsers()` selects all columns from both tables:
```php
$sql = "SELECT w.*, u.*, u.id as user_id, IFNULL(balance, 0) as balance FROM users u "
. " LEFT JOIN wa
OSV
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
osv·2026-03-31
CVE-2026-34395 [MEDIUM] AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
**Severity:** High
**CWE:** CWE-862 (Missing Authorization)
### Summary
The `plugin/YPTWallet/view/users.json.php` endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks `User::isLogged()` but does not check `User::isAdmin()`, so any registered user can dump the full user database.
### Details
The authorization check at `plugin/YPTWallet/view/users.json.php:8`:
```php
if (!User::isLogged()) {
die("Is not logged");
}
```
The query in `YPTWallet::getAllUsers()` selects all columns from both tables:
```php
$sql = "SELECT w.*, u.*, u.id as user_id, IFNULL(balance, 0) as balance FROM users u "
. " LEFT JOIN wa
No detection rules found.
No public exploits indexed.
2026-03-31
Published