CVE-2026-0750 HIGH

CVE-2026-0750: Payment bypass in Commerce Paybox

Vendor Drupal
Product Drupal Commerce Paybox
Weakness CWE-347
Published January 28, 2026
Last update January 28, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.

Explanation of Vulnerability in Simple Terms

02Summary

Drupal Commerce Paybox versions 7.x-1.0 through 7.x-1.5 contain an improper cryptographic signature verification flaw (CWE-347). An attacker can forge payment notifications without valid authentication, potentially manipulating transaction records. The vulnerability requires network access but no user interaction or authentication. Site administrators should update to a version newer than 7.x-1.5 immediately.

What an attacker can do

03Attacker Capabilities

Forge payment notifications to manipulate transaction records or bypass payment verification.

Potential impact on your site

04Site Impact

Attackers can falsify payment confirmations, leading to unauthorized transactions or revenue loss.

Conditions required to exploit

05Prerequisites

Network access to the Drupal site; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated