GHSA-5q4q-834j-g8g4

Suggest an improvement
Source
https://github.com/advisories/GHSA-5q4q-834j-g8g4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5q4q-834j-g8g4/GHSA-5q4q-834j-g8g4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5q4q-834j-g8g4
Aliases
  • CVE-2026-47198
Published
2026-06-30T16:44:31Z
Modified
2026-06-30T16:45:17.800329877Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
Summary
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
Details

Summary

The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.

Technical Details

The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).

When processing this input: 1. Validation rules are dynamically generated only for keys explicitly defined by an extension's getCheckoutConfig() method. Any undefined keys injected into the query parameter bypass validation entirely. 2. The cart component (app/Livewire/Cart.php) stores all keys from checkout_config directly into the database without sanitation:

   foreach ($item->checkout_config as $key => $value) {
       $service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
   }

3. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.

Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.

Impact

This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.

Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.

Database specific
{
    "github_reviewed_at": "2026-06-30T16:44:31Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-639"
    ],
    "severity": "HIGH"
}
References

Affected packages

Packagist / paymenter/paymenter

Package

Name
paymenter/paymenter
Purl
pkg:composer/paymenter%2Fpaymenter

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.1

Affected versions

0.*
0.1
0.1.1
0.1.2
0.1.3
0.2
0.2.1
v0.*
v0.3
v0.4
v0.4.1
v0.5
v0.5.1
v0.5.2
v0.5.3
v0.6
v0.7
v0.7.1
v0.8
v0.8.1
v0.8.2
v0.9
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5q4q-834j-g8g4/GHSA-5q4q-834j-g8g4.json"