PT-2026-53971 · Paymenter · Paymenter
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-47198
CVSS v3.1
8.5
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Paymenter (affected versions not specified)
Description
Authenticated users can inject arbitrary key-value pairs into server provisioning parameters due to improper input validation and mass assignment of user-controlled fields. The system fails to filter URL-writable properties, allowing undefined keys to bypass validation and be stored without sanitization. An attacker can submit crafted checkout requests to override admin-defined settings, leading to unauthorized changes in resource limits such as CPU, RAM, and storage, and the ability to bypass paid plan restrictions.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
IDOR
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Paymenter