CVE-2026-33731: AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data

June 22, 2026

The Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplying a valid transaction ID from a small legitimate purchase, the attacker bypasses signature validation and credits arbitrary wallet balances to any user account via attacker-controlled payload fields.

References

github.com/WWBN/AVideo/commit/033e83ae904cacb99495dbea7cbcfb3738cf42e4
github.com/WWBN/AVideo/security/advisories/GHSA-95jh-7r58-xmxw
github.com/advisories/GHSA-95jh-7r58-xmxw
nvd.nist.gov/vuln/detail/CVE-2026-33731

Code Behaviors & Features

Detect and mitigate CVE-2026-33731 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →