Main Vulnerability Database Vulnerabilities #VU125507

#VU125507 Missing Authorization in AVideo - CVE-2026-35448

Published: April 8, 2026

Vulnerability identifier: #VU125507

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35448

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote attacker to disclose sensitive payment order information.

The vulnerability exists due to missing authorization in the BlockonomicsYPT check.php endpoint when handling requests for a supplied Bitcoin address. A remote attacker can send a specially crafted request with a known Bitcoin address to disclose sensitive payment order information.

Bitcoin addresses used by the platform may be discoverable from public blockchain data, and no session cookie or API key is required.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9

#VU125507 Missing Authorization in AVideo - CVE-2026-35448

Description

Remediation

External links

Please verify you're human