PT-2026-53971 · Paymenter · Paymenter

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-47198

CVSS v3.1

8.5

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions Paymenter (affected versions not specified)
Description Authenticated users can inject arbitrary key-value pairs into server provisioning parameters due to improper input validation and mass assignment of user-controlled fields. The system fails to filter URL-writable properties, allowing undefined keys to bypass validation and be stored without sanitization. An attacker can submit crafted checkout requests to override admin-defined settings, leading to unauthorized changes in resource limits such as CPU, RAM, and storage, and the ability to bypass paid plan restrictions.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

IDOR

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47198
GHSA-5Q4Q-834J-G8G4

Affected Products

Paymenter