Skip to main content

Next Saas Stripe Starter

3 CVEs product

Monthly

CVE-2026-4549 LOW Monitor

An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.

Authentication Bypass Next Saas Stripe Starter
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-4548 MEDIUM This Month

Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.

Authentication Bypass Next Saas Stripe Starter
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-4547 MEDIUM This Month

A business logic vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the generateUserStripe function of the Checkout Handler component, where manipulation of the priceId parameter can lead to unauthorized modification of transaction data. An authenticated remote attacker can exploit this vulnerability to alter billing information or trigger unintended payment processing logic, potentially causing financial discrepancies or service abuse. With a CVSS score of 4.3 and low attack complexity, this vulnerability represents a moderate risk requiring prompt attention despite the low impact rating.

Information Disclosure Next Saas Stripe Starter
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
EPSS 0% CVSS 2.3
LOW Monitor

An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.

Authentication Bypass Next Saas Stripe Starter
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.

Authentication Bypass Next Saas Stripe Starter
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A business logic vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the generateUserStripe function of the Checkout Handler component, where manipulation of the priceId parameter can lead to unauthorized modification of transaction data. An authenticated remote attacker can exploit this vulnerability to alter billing information or trigger unintended payment processing logic, potentially causing financial discrepancies or service abuse. With a CVSS score of 4.3 and low attack complexity, this vulnerability represents a moderate risk requiring prompt attention despite the low impact rating.

Information Disclosure Next Saas Stripe Starter
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy