AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

Summary The transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attack...

Race Condition

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Race Condition through the transferBalance process in plugin/YPTWallet/YPTWallet.php. An attacker can create a wallet balance from nothing by sending concurrent...

CVE-2026-34368

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

CVE-2026-34368 AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

CVE-2026-34368

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

CVE-2026-34368 AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

CVE-2026-34368

Summary of CVE-2026-34368 (AVideo) : The TOCTOU race condition occurs in the transferBalance() function of YPTWallet.php in WWBN AVideo when running versions up to 26.0. The balance check and the deduction are performed without a database transaction or row-level locking, allowing concurrent auth...

WWBN AVideo 竞争条件问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a race condition vulnerability. This vulnerability stemmed from a race condition in the transferBalance method, which could allow concurrent transfer requests to...