CVE-2026-33661

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661

CVE-2026-33661 affects the yansongda/pay library prior to 3.7.20. The verify_wechat_sign() function incorrectly bypasses RSA signature verification when the PSR-7 request Host header is localhost, allowing an attacker to POST to the WeChat Pay callback with Host: localhost and forge payment succe...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

WeChat Pay callback signature verification bypassed when Host header is localhost

Summary The verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header,...

GHSA-Q938-GHWV-8GVC WeChat Pay callback signature verification bypassed when Host header is localhost

Summary The verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header,...

PT-2026-28169

Name of the Vulnerable Software and Affected Versions Pay versions prior to 3.7.20 Description The verify wechat sign function in src/Functions.php does not properly validate signatures when the Host header in a PSR-7 request is set to localhost. This allows an attacker to bypass the RSA signatur...

EUVD-2022-3991

Malicious code in bioql PyPI...

CVE-2024-41658 GHSL-2024-036: Reflected XSS in QrCodePage.js

Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via...

Xiaomi Phone Bug Allowed Payment Forgery

Smartphone maker Xiaomi, the world’s number three phone maker behind Apple and Samsung, reported it has patched a high-severity flaw in its “trusted environment” used to store payment data that opened some of its handsets to attack. Researchers at Check Point Research revealed last week in a repo...

WeChat Pay Java SDK allows XXE

WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL...

GHSA-GQGV-2GP3-QQP3 WeChat Pay Java SDK allows XXE

WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL...

WeChat Pay has a flawed logic vulnerability

WeChat is a free application launched by Tencent on January 21, 2011 to provide instant messaging services for smart terminals. A logic flaw vulnerability exists in WeChat Pay, which can be exploited by attackers to compromise confidentiality and integrity...

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomwar...

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomwar...

The defect-week session of the fourth term: XML external entity injection-vulnerability warning-the black bar safety net

Code audit is the use of static analysis to discover the source code of the security flaws of the method can aid in the development or testing personnel in a software on-line prior to a more comprehensive understanding of its security concerns, preventive measures, and therefore has always been t...

CVE-2018-13439

WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL...