GHSA-WVR6-395C-5PXR
Vulnerability from github – Published: 2026-02-12 17:04 – Updated: 2026-02-19 21:56A vulnerability in CediPay allows attackers to bypass input validation in the transaction API.
Affected users: All deployments running versions prior to the patched release.
Risk: Exploitation could result in unauthorized transactions, exposure of sensitive financial data, and compromise of payment integrity.
Severity: High — potential financial loss and reputational damage.
Patches The issue has been fixed in version 1.2.3.
Users should upgrade to 1.2.3 or later immediately.
All versions earlier than 1.2.3 remain vulnerable.
Workarounds If upgrading is not immediately possible:
Restrict API access to trusted networks or IP ranges.
Enforce strict input validation at the application layer.
Monitor transaction logs for anomalies or suspicious activity.
These mitigations reduce exposure but do not fully eliminate the vulnerability.
References OWASP Input Validation Guidelines (owasp.org in Bing)
CWE-20: Improper Input Validation
GitHub Security Advisory Documentation (docs.github.com in Bing)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cedipay-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26063"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T17:04:50Z",
"nvd_published_at": "2026-02-19T20:25:41Z",
"severity": "HIGH"
},
"details": "A vulnerability in CediPay allows attackers to bypass input validation in the transaction API.\n\nAffected users: All deployments running versions prior to the patched release.\n\nRisk: Exploitation could result in unauthorized transactions, exposure of sensitive financial data, and compromise of payment integrity.\n\nSeverity: High \u2014 potential financial loss and reputational damage.\n\nPatches\nThe issue has been fixed in version 1.2.3.\n\nUsers should upgrade to 1.2.3 or later immediately.\n\nAll versions earlier than 1.2.3 remain vulnerable.\n\nWorkarounds\nIf upgrading is not immediately possible:\n\nRestrict API access to trusted networks or IP ranges.\n\nEnforce strict input validation at the application layer.\n\nMonitor transaction logs for anomalies or suspicious activity.\n\nThese mitigations reduce exposure but do not fully eliminate the vulnerability.\n\nReferences\nOWASP Input Validation Guidelines (owasp.org in Bing)\n\nCWE-20: Improper Input Validation\n\nGitHub Security Advisory Documentation (docs.github.com in Bing)",
"id": "GHSA-wvr6-395c-5pxr",
"modified": "2026-02-19T21:56:14Z",
"published": "2026-02-12T17:04:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xpertforextradeinc/CediPay/security/advisories/GHSA-wvr6-395c-5pxr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26063"
},
{
"type": "PACKAGE",
"url": "https://github.com/xpertforextradeinc/CediPay"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CediPay Affected by Improper Input Validation in Payment Processing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.