DRUPAL-CONTRIB-2026-058

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/commerce_realex/DRUPAL-CONTRIB-2026-058.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-058
Aliases
  • CVE-2026-13238
Published
2026-06-24T18:40:07Z
Modified
2026-06-25T07:10:08Z
Summary
[none]
Details

This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect.

When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment response returned by Global Payments.

The lightbox payment method validates the signature and is not affected, so sites that use the lightbox payment method are not affected.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/commerce_realex

Package

Name
drupal/commerce_realex
Purl
pkg:composer/drupal%2Fcommerce_realex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.2
Database specific 
{
    "constraint": "<3.0.2"
}

Database specific

affected_versions 
"<3.0.2"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/commerce_realex/DRUPAL-CONTRIB-2026-058.json"