Skip to main content

Pavo Pay

1 CVEs product

Monthly

CVE-2026-1989 HIGH This Week

Broken object-level authorization in PAVO Pay (all builds through 09072026) lets remote attackers access other users' resources by substituting user-controlled identifiers (CWE-639, IDOR-class), exposing sensitive financial data with no integrity or availability impact. Reported by Turkey's national CSIRT (TR-CERT) and tracked in the ENISA EUVD, the flaw scores CVSS 7.5 driven entirely by high confidentiality impact over an unauthenticated network path. No public exploit is identified at time of analysis, but the vendor did not respond to coordinated disclosure and no fix has been released, leaving all deployments exposed.

Authentication Bypass Pavo Pay
NVD
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH This Week

Broken object-level authorization in PAVO Pay (all builds through 09072026) lets remote attackers access other users' resources by substituting user-controlled identifiers (CWE-639, IDOR-class), exposing sensitive financial data with no integrity or availability impact. Reported by Turkey's national CSIRT (TR-CERT) and tracked in the ENISA EUVD, the flaw scores CVSS 7.5 driven entirely by high confidentiality impact over an unauthenticated network path. No public exploit is identified at time of analysis, but the vendor did not respond to coordinated disclosure and no fix has been released, leaving all deployments exposed.

Authentication Bypass Pavo Pay
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy