CVE-2026-35448 | WWBN AVideo up to 26.0 Endpoint check.php authorization (GHSA-3v7m-qg4x-58h9)

VDB-355702 · CVE-2026-35448 · GHSA-3V7M-QG4X-58H9 WWBN AVIDEO UP TO 26.0 ENDPOINT CHECK.PHP AUTHORIZATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.7 $0-$5k 1.52+ Summaryinfo A vulnerability was found in WWBN AVideo up to 26.0 and classified as problematic. The affected element is an unknown function of the file check.php of the component Endpoint. Executing a manipulation can lead to authorization. This vulnerability is tracked as CVE-2026-35448. The attack can be launched remotely. No exploit exists. Detailsinfo A vulnerability has been found in WWBN AVideo up to 26.0 and classified as problematic. This vulnerability affects an unknown code of the file check.php of the component Endpoint. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality. CVE summarizes: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform. The advisory is available at github.com. This vulnerability was named CVE-2026-35448 since 04/02/2026. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 04/07/2026). By approaching the search of inurl:check.php it is possible to find vulnerable targets with Google Hacking. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. Productinfo Vendor WWBN Name AVideo Version 26.0 License open-source Website Product: https://github.com/WWBN/AVideo/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 3.7 VulDB Meta Temp Score: 3.7 VulDB Base Score: 3.7 VulDB Temp Score: 3.6 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 3.7 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Authorization CWE: CWE-862 / CWE-863 / CWE-285 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Google Hack: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: no mitigation known Status: 🔍 0-Day Time: 🔒 Timelineinfo 04/02/2026 CVE reserved 04/07/2026 +5 days Advisory disclosed 04/07/2026 +0 days VulDB entry created 04/07/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-3v7m-qg4x-58h9 Status: Not defined CVE: CVE-2026-35448 (🔒) GCVE (CVE): GCVE-0-2026-35448 GCVE (VulDB): GCVE-100-355702 Entryinfo Created: 04/07/2026 07:19 Changes: 04/07/2026 07:19 (63) Complete: 🔍 Cache ID: 99:6BC:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸