CVE-2026-33661 - Pay - Authentication Bypass

Overview

Pay < 3.7.20 contains a broken authentication caused by unconditional skipping of signature verification when PSR-7 request host is localhost in verify_wechat_sign(), letting attackers forge WeChat Pay success notifications, exploit requires sending crafted HTTP request with Host: localhost header.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can forge payment success notifications, causing applications to mark orders as paid without actual payment.

Mitigation

Update to version 3.7.20 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33661 - High (8.6) Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request r... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33661/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33661 - High (8.6) Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 request r... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33661/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-33661 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score