CVE-2026-56341

Source
https://cve.org/CVERecord?id=CVE-2026-56341
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56341
Aliases
Published
2026-06-20T18:27:10.827Z
Modified
2026-07-08T08:09:47.307589776Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php
Details

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56341.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type
GIT
Repo
https://github.com/wwbn/avideo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0"
        },
        {
            "fixed": "26.0"
        }
    ]
}

Affected versions

10.*
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
18.*
18.0
2.*
2.2
2.7
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
3.*
3.4
4.*
4.0
7.*
7.2
7.3
7.4
7.6
7.7
7.8
8.*
8.1
8.5
8.6
8.7
8.9
8.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56341.json"