CVE-2026-56341

AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php

CVSS 8.7 HIGHEPSS 0.3%CWE-862

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

20 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Productos afectados

AVideo · AVideo

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37 https://www.vulncheck.com/advisories/avideo-unauthenticated-access-to-payment-log-datatables-endpoints-via-list-json-php