Skip to main content

PayRange CVE-2026-13462

| EUVDEUVD-2026-42637 HIGH
2026-07-09 cret@cert.org GHSA-wpmg-2gv8-722g
7.5
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

MITM network positioning is required to abuse the cert bypass, so AC:H rather than AC:L; impact is confidentiality-only (C:H) as the attacker reads transmitted data with no integrity/availability effect described.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cert).

CVSS VectorVendor: cert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 09, 2026 - 20:23 vuln.today
CVSS changed
Jul 09, 2026 - 20:22 NVD
7.5 (HIGH)
CVSS changed
Jul 09, 2026 - 20:22 NVD
7.5 (HIGH)
CVE Published
Jul 09, 2026 - 17:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 09, 2026 - 17:16 cve.org
HIGH 7.5

DescriptionCVE.org

PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.

AnalysisAI

Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain man-in-the-middle position on victim's network
Exploit
Present forged TLS certificate to app webview
Execution
Certificate validation bypassed, session decrypted
Impact
Capture user-submitted account/payment data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a man-in-the-middle network position on the traffic path between the victim's device and PayRange servers (e.g., control of the local Wi-Fi, ARP/DNS spoofing, or an upstream network hop), and the victim must be using PayRange Android 7.0.7 or earlier and actively entering data into an affected webview. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) rates this as high-severity confidentiality-only impact with no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sets up a rogue access point or performs ARP spoofing on a shared network (e.g., a laundromat or café) where a victim uses the PayRange app. Because the app's webviews accept the attacker's forged TLS certificate, the attacker transparently proxies the HTTPS session and reads the account and payment details the user enters. …
Remediation Upgrade the PayRange Android app to a release later than 7.0.7 that enforces proper certificate validation; no exact fixed version number is stated in the provided data, so consult the CERT/CC advisory at https://kb.cert.org/vuls/id/152953 for the vendor-confirmed patched build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and user populations using PayRange Android app versions 7.0.7 or below; communicate advisory to affected users and restrict app usage to trusted, controlled networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy