Skip to main content
CVE-2026-35448 LOW GHSA Monitor

Unauthenticated access to payment order data in the BlockonomicsYPT plugin for AVideo allows remote attackers to retrieve sensitive payment information including user IDs, transaction amounts, and Bitcoin transaction details for any address without authentication. The vulnerable check.php endpoint returns complete order records queryable by Bitcoin address alone, enabling attackers to link on-chain transactions to specific platform user accounts and violate user privacy. No exploit complexity is required beyond discovering Bitcoin addresses on the public blockchain.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-35200 LOW PATCH GHSA Monitor

Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.

File Upload
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy