cvedb.io
CVE-2026-35448
LOW · CVSS 3.7
EPSS exploitation probability: 0%
Published 2026-04-06T22:16:23.157 · Last modified 2026-06-17T10:40:36.913

Summary

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform.

Affected products

wwbn — avideo

Does this affect you?

Add your gear to cvedb and we'll alert you only when wwbn ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.