CVE-2026-35448 | THREATINT

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-06 | Updated 2026-04-07 | Assigner GitHub_M

LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-862: Missing Authorization

Product status

<= 26.0

affected

References

github.com/...AVideo/security/advisories/GHSA-3v7m-qg4x-58h9 exploit

github.com/...AVideo/security/advisories/GHSA-3v7m-qg4x-58h9

cve.org (CVE-2026-35448)

nvd.nist.gov (CVE-2026-35448)

Download JSON