Main Vulnerability Database Vulnerabilities #VU125507

Missing Authorization in AVideo - CVE-2026-35448

Published: April 8, 2026

Vulnerability identifier: #VU125507

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35448

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive payment order information.

The vulnerability exists due to missing authorization in the BlockonomicsYPT check.php endpoint when handling requests for a supplied Bitcoin address. A remote attacker can send a specially crafted request with a known Bitcoin address to disclose sensitive payment order information.

Bitcoin addresses used by the platform may be discoverable from public blockchain data, and no session cookie or API key is required.

How to mitigate CVE-2026-35448

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9

Missing Authorization in AVideo - CVE-2026-35448

Detailed vulnerability description

How to mitigate CVE-2026-35448

Sources

Please verify you're human