CVE-2026-43883

🗓️ 11 May 2026 20:41:40Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 10 Views🌐 WEB

CVE-2026-43883: IDOR in PayPal YPT agreementCancel.json.php lets authenticated users cancel subscriptions.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2026-43883	27 Apr 202617:05	–	circl
CNNVD	WWBN AVideo 安全漏洞	11 May 202600:00	–	cnnvd
Cvelist	CVE-2026-43883 WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements	11 May 202620:41	–	cvelist
Github Security Blog	AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements	5 May 202622:16	–	github
NVD	CVE-2026-43883	11 May 202622:22	–	nvd
OSV	GHSA-958H-QP3X-Q4GJ AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements	5 May 202622:16	–	osv
Positive Technologies	PT-2026-37299	5 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-43883	5 Jun 202619:40	–	redhatcve
Snyk	Authorization Bypass Through User-Controlled Key	5 May 202622:16	–	snyk

Vulners

Node

wwbn avideoRange≤29.0

[
  {
    "vendor": "WWBN",
    "product": "AVideo",
    "versions": [
      {
        "version": "<= 29.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj
github	www.github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2

Parameter	Position	Path	Description	CWE
agreement	query param	plugin/PayPalYPT/agreementCancel.json.php	Endpoint accepting an attacker-supplied PayPal billing agreement ID without ownership verification, enabling silent suspension of a victim's recurring subscription.	CWE-639

17 Jun 2026 10:50Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.14.2

EPSS0.00167

CWE-639