AVideo – Unauthenticated Access to Payment Log DataTables Endpoints via...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

Basic Information

ID CVE-2026-56341

Source VulnCheck

Published Jun 20, 2026 at 18:27

Affected Product

Vendor AVideo

Product AVideo

Affected Versions AVideo AVideo 0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.",
    "published": "2026-06-20T18:27:10.827Z",
    "modified": "2026-06-20T18:27:10.827Z",
    "type": "cve",
    "title": "AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php",
    "source": "VulnCheck",
    "references": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37\nhttps://www.vulncheck.com/advisories/avideo-unauthenticated-access-to-payment-log-datatables-endpoints-via-list-json-php",
    "id": "CVE-2026-56341",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "AVideo AVideo 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AVideo",
    "version": "0",
    "vendor": "AVideo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

AVideo – Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php_CVE-2026-56341