What is the CVSS score of CVE-2025-48446?

CVE-2025-48446 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-48446?

A critical authorization flaw in Drupal Commerce Alphabank Redirect (versions before 1.0.3) allows attackers to bypass payment controls and misuse payment functionality, potentially enabling…. A patch is available.

How to fix or mitigate CVE-2025-48446?

Within 24 hours: Identify all Drupal instances running Commerce Alphabank Redirect and document current versions; disable the Alphabank payment gateway if not actively used in production. Within 7 days: Monitor vendor release channels for patch availability; implement WAF rules to restrict access to Alphabank redirect endpoints to known legitimate sources only. Within 30 days: Apply patch immediately upon release; conduct audit of recent Alphabank transactions for suspicious activity.

PHP CVE-2025-48446

EUVD-2025-18126 HIGH

Incorrect Authorization (CWE-863)

2025-06-11 mlhess@drupal.org

GHSA-48wx-8736-jgx2

Authentication Bypass Drupal PHP Commerce Alphabank Redirect

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 21:09 euvd

EUVD-2025-18126

Analysis Generated

Mar 14, 2026 - 21:09 vuln.today

CVE Published

Jun 11, 2025 - 15:15 nvd

HIGH 8.8

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3.

AnalysisAI

CVE-2025-48446 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Commerce Alphabank Redirect module that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. The vulnerability affects Commerce Alphabank Redirect versions prior to 1.0.3, with a CVSS score of 8.8 indicating high severity across confidentiality, integrity, and availability impacts. No public indicators of active exploitation or proof-of-concept code are currently documented, but the high CVSS score and authorization bypass nature warrant immediate patching.

Technical ContextAI

The Drupal Commerce Alphabank Redirect module is a payment gateway integration component for the Drupal Commerce e-commerce platform, specifically designed to handle payment redirects for Alphabank payment processing. The vulnerability stems from inadequate authorization checks (CWE-863: Incorrect Authorization) in the module's redirect handling logic, allowing attackers to bypass intended access controls. This authorization flaw affects the module's ability to properly validate user permissions before executing sensitive payment-related functionality. The module integrates with Drupal's routing and permissions systems, and the vulnerability suggests either missing permission checks, improper role validation, or insufficient CSRF/session token verification in the redirect workflow. The affected CPE would be: cpe:2.3:a:drupal:commerce_alphabank_redirect:*:*:*:*:*:drupal:*:* with versions 0.0.0 through 1.0.2 in scope.

RemediationAI

Update Drupal Commerce Alphabank Redirect to version 1.0.3 or later; priority: Immediate; method: Via Drupal module update mechanism or direct download from drupal.org/project/commerce_alphabank_redirect Verification: Verify module version via admin interface (Administration > Reports > Available updates) or drush command: drush pm-info commerce_alphabank_redirect; priority: High Access Control Review: Audit user roles and permissions assigned to payment-related functionality; ensure only trusted users have payment processing access; priority: High Workaround: If immediate patching is not possible, restrict access to the Alphabank redirect endpoint via web server configuration or Drupal's URL access restrictions until patch is deployed; priority: Medium Monitoring: Review access logs for unusual redirect patterns or unauthorized payment gateway interactions; monitor Drupal security advisories for additional guidance; priority: Medium

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-48446 vulnerability details – vuln.today

Back

PHP CVE-2025-48446

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code