CVE-2026-33661 (GCVE-0-2026-33661)

Vulnerability from cvelistv5 – Published: 2026-03-26 21:05 – Updated: 2026-03-27 20:00
VLAI
Title
WeChat Pay callback signature verification bypassed when Host header is localhost
Summary
Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.
Severity
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE
  • CWE-290 - Authentication Bypass by Spoofing
Assigner
References
Impacted products
Vendor Product Version
yansongda pay Affected: < 3.7.20
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33661",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:12:47.859453Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:00:56.285Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pay",
          "vendor": "yansongda",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.7.20"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T21:05:22.607Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc"
        },
        {
          "name": "https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f"
        },
        {
          "name": "https://github.com/yansongda/pay/releases/tag/v3.7.20",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yansongda/pay/releases/tag/v3.7.20"
        }
      ],
      "source": {
        "advisory": "GHSA-q938-ghwv-8gvc",
        "discovery": "UNKNOWN"
      },
      "title": "WeChat Pay callback signature verification bypassed when Host header is localhost"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33661",
    "datePublished": "2026-03-26T21:05:22.607Z",
    "dateReserved": "2026-03-23T15:23:42.219Z",
    "dateUpdated": "2026-03-27T20:00:56.285Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33661",
      "date": "2026-05-30",
      "epss": "0.00015",
      "percentile": "0.03415"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33661\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T22:16:29.560\",\"lastModified\":\"2026-04-01T13:47:23.640\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Pay es un paquete de extensi\u00f3n de SDK de pago de c\u00f3digo abierto para varios servicios de pago chinos. Antes de la versi\u00f3n 3.7.20, la funci\u00f3n `verify_wechat_sign()` en `src/Functions.php` omite incondicionalmente toda la verificaci\u00f3n de firma cuando la solicitud PSR-7 informa localhost como el host. Un atacante puede explotar esto enviando una solicitud HTTP manipulada al endpoint de callback de WeChat Pay con un encabezado Host: localhost, eludiendo por completo la verificaci\u00f3n de firma RSA. Esto permite falsificar notificaciones de \u00e9xito de pago falsas de WeChat Pay, lo que podr\u00eda hacer que las aplicaciones marquen los pedidos como pagados sin un pago real. La versi\u00f3n 3.7.20 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:yansongda:pay:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.7.20\",\"matchCriteriaId\":\"EB442148-12BE-4EE8-A5C6-99501BC4C1B2\"}]}]}],\"references\":[{\"url\":\"https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/yansongda/pay/releases/tag/v3.7.20\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33661\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T14:12:47.859453Z\"}}}], \"references\": [{\"url\": \"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T14:12:58.458Z\"}}], \"cna\": {\"title\": \"WeChat Pay callback signature verification bypassed when Host header is localhost\", \"source\": {\"advisory\": \"GHSA-q938-ghwv-8gvc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"yansongda\", \"product\": \"pay\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.7.20\"}]}], \"references\": [{\"url\": \"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc\", \"name\": \"https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f\", \"name\": \"https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/yansongda/pay/releases/tag/v3.7.20\", \"name\": \"https://github.com/yansongda/pay/releases/tag/v3.7.20\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request reports `localhost` as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a `Host: localhost` header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment. Version 3.7.20 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T21:05:22.607Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33661\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:00:56.285Z\", \"dateReserved\": \"2026-03-23T15:23:42.219Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T21:05:22.607Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.