CVE-2026-43883

Published: Mag 12, 2026 Last Modified: Mag 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,2

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: low

Description

AI Translation Available

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.

639

Authorization Bypass Through User-Controlled Key

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694b…

https://github.com/WWBN/AVideo/commit/0da3dcff1eda2f497694bf82b559829471c292c2

https://github.com/WWBN/AVideo/security/advisories/GHSA-958…

https://github.com/WWBN/AVideo/security/advisories/GHSA-958h-qp3x-q4gj

CVE-2026-43883

Description

Authorization Bypass Through User-Controlled Key

Common Consequences

Applicable Platforms

Iscriviti alla newsletter