CVE-2026-34737Missing Authorization in Avideo

CWE-862Missing Authorization4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 91.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 31
Latest updateApr 1

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by provid

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

🔴Vulnerability Details

2
GHSA
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug2026-04-01
OSV
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug2026-04-01

🕵️Threat Intelligence

1
Wiz
CVE-2026-34737 Impact, Exploitability, and Mitigation Steps | Wiz