What is the CVSS score of CVE-2026-34368?

CVE-2026-34368 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-34368?

Organizations using versions should be aware of moderate risk from CVE-2026-34368, a race condition vulnerability rated CVSS 5.3. Exploitation could compromise the security of affected deployments.

PHP CVE-2026-34368

EUVD-2026-16734 MEDIUM

Race Condition (CWE-362)

2026-03-27 security-advisories@github.com

GHSA-h54m-c522-h6qr

PHP Information Disclosure Race Condition

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 27, 2026 - 18:22 euvd

EUVD-2026-16734

Analysis Generated

Mar 27, 2026 - 18:22 vuln.today

CVE Published

Mar 27, 2026 - 18:16 nvd

MEDIUM 5.3

DescriptionNVD

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance() method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance - all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix.

AnalysisAI

WWBN AVideo up to version 26.0 allows authenticated attackers to conduct concurrent balance transfers that exploit a Time-of-Check-Time-of-Use (TOCTOU) race condition in the wallet module, enabling arbitrary financial value multiplication without database transaction protection. An attacker with multiple authenticated sessions can trigger parallel transfer requests that each read the same wallet balance, all pass the sufficiency check independently, but result in only a single deduction while the recipient receives multiple credits. …

RemediationAI

Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34368 vulnerability details – vuln.today

Back

PHP CVE-2026-34368

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code