CVE-2026-56341

HIGH

AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php

Title source: cna
STIX 2.1

Description

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-wprj-9cvc-5w37
https://github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37
Third Party Advisory third-party-advisory
VulnCheck Advisory: AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php
https://www.vulncheck.com/advisories/avideo-unauthenticated-access-to-payment-log-datatables-endpoints-via-list-json-php

Scores

CVSS v3 7.5
EPSS 0.0030
EPSS Percentile 22.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
AVideo/AVideo < 26.0
Published Jun 20, 2026
Tracked Since Jun 21, 2026