GHSA-7wwh-xcc3-9fcg

Source

https://github.com/advisories/GHSA-7wwh-xcc3-9fcg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7wwh-xcc3-9fcg/GHSA-7wwh-xcc3-9fcg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7wwh-xcc3-9fcg

Aliases

CVE-2026-44583

Published

2026-06-22T20:28:29Z

Modified

2026-06-22T20:45:08.117229001Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module

Details

Summary

The PayPal webhook endpoint /extensions/paypal/webhook processes the PAYPAL-CERT-URL HTTP header without validation, allowing attackers to control server-side HTTP request destinations.

Technical details:

The /extensions/paypal/webhook endpoint processes incoming webhook requests and trusts the value of the PAYPAL-CERT-URL HTTP header without validation.

This value is passed directly into a server-side HTTP request via file_get_contents, allowing attackers to control the destination of the request. No allowlist, validation, or signature verification is applied to the header before usage.

As a result, the application can be coerced into performing HTTP requests to attacker-controlled or internal network destinations.

Impact

This vulnerability allows remote unauthenticated attackers to induce server-side HTTP GET requests to arbitrary external or internal endpoints.

Depending on network configuration, this may lead to:

Blind SSRF to external attacker-controlled systems
Potential access to internal network services

No direct response data is returned to the attacker (blind SSRF), but the issue may still enable sensitive network probing or data exfiltration via side channels.

Database specific

{
    "github_reviewed_at": "2026-06-22T20:28:29Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

Packagist / paymenter/paymenter

Package

Name: paymenter/paymenter
Purl: pkg:composer/paymenter%2Fpaymenter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0

Affected versions

0.*

0.1

0.1.1

0.1.2

0.1.3

0.2

0.2.1

v0.*

v0.3

v0.4

v0.4.1

v0.5

v0.5.1

v0.5.2

v0.5.3

v0.6

v0.7

v0.7.1

v0.8

v0.8.1

v0.8.2

v0.9

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7wwh-xcc3-9fcg/GHSA-7wwh-xcc3-9fcg.json"