CVE-2026-33661

{"id": "CVE-2026-33661", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T22:16:29.560", "references": [{"url": "https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/yansongda/pay/releases/tag/v3.7.20", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue."}, {"lang": "es", "value": "Pay es un paquete de extensi\u00f3n de SDK de pago de c\u00f3digo abierto para varios servicios de pago chinos. Antes de la versi\u00f3n 3.7.20, la funci\u00f3n `verify_wechat_sign()` en `src/Functions.php` omite incondicionalmente toda la verificaci\u00f3n de firma cuando la solicitud PSR-7 informa localhost como el host. Un atacante puede explotar esto enviando una solicitud HTTP manipulada al endpoint de callback de WeChat Pay con un encabezado Host: localhost, eludiendo por completo la verificaci\u00f3n de firma RSA. Esto permite falsificar notificaciones de \u00e9xito de pago falsas de WeChat Pay, lo que podr\u00eda hacer que las aplicaciones marquen los pedidos como pagados sin un pago real. La versi\u00f3n 3.7.20 corrige el problema."}], "lastModified": "2026-04-01T13:47:23.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yansongda:pay:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB442148-12BE-4EE8-A5C6-99501BC4C1B2", "versionEndExcluding": "3.7.20"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}