CVE-2026-39366 — Insufficient Verification of Data Authenticity in Avideo

CWE-345 — Insufficient Verification of Data Authenticity4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 96.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedApr 7

Latest updateApr 8

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5wwbn/avideo26.0

▶Packagistwwbn/avideo26.0

🔴Vulnerability Details

GHSA

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php↗2026-04-08

▶

OSV

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php↗2026-04-08

▶

🕵️Threat Intelligence

Wiz

CVE-2026-39366 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶