{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35448", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:45:01.877Z", "dateUpdated": "2026-04-07T15:08:51.870Z"}, "containers": {"cna": {"title": "WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:45:01.877Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform."}], "source": {"advisory": "GHSA-3v7m-qg4x-58h9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:37:28.857671Z", "id": "CVE-2026-35448", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:08:51.870Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform."}], "id": "CVE-2026-35448", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.157", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T02:16:08.404541+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch or upgrade to the latest version of AVideo that has the check.php endpoint secured with authentication.", "Disable or uninstall the BlockonomicsYPT plugin to remove the vulnerable endpoint.", "Implement server\u2011level restrictions (e.g., .htaccess or firewall rules) to block unauthenticated access to check.php.", "Monitor web server logs for repeated or suspicious access to the check.php endpoint."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Affected product is WWBN AVideo. Versions 26.0 and earlier are vulnerable. All installations that have the BlockonomicsYPT plugin enabled are susceptible.", "description_and_impact": "The vulnerability lies in the BlockonomicsYPT check.php endpoint of WWBN AVideo. The script returns payment order data for any Bitcoin address without performing any authorization checks. This missing authorization (CWE\u2011862) allows an attacker to read sensitive financial transaction information, compromising confidentiality of users\u2019 payment records.", "risk_and_exploitability": "The CVSS score is 3.7, indicating moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote, unauthenticated HTTP request to the check.php endpoint. An attacker only needs the public Bitcoin address, which can be obtained from the blockchain, to retrieve the payment data. Because the endpoint exposes private payment information, compromised confidentiality could impact user trust and financial privacy even though exploitation requires only a simple HTTP request."}}}}, "created": "2026-04-07T06:53:42.234672+00:00", "updated": "2026-04-07T09:36:40.016731+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}