{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0750", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-08T19:51:40.852Z", "datePublished": "2026-01-28T18:53:42.343Z", "dateUpdated": "2026-01-28T19:25:29.820Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/commerce_paybox", "defaultStatus": "unaffected", "packageName": "Commerce Paybox", "platforms": ["Drupal 7.x"], "product": "Drupal Commerce Paybox", "vendor": "Drupal", "versions": [{"lessThanOrEqual": "7.x-1.5", "status": "affected", "version": "7-x-1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dave Hernandez (defr)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.<p>This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.</p>"}], "value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-01-28T18:53:42.343Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0750"}, {"tags": ["third-party-advisory"], "url": "https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability"}], "source": {"discovery": "UNKNOWN"}, "title": "Payment bypass in Commerce Paybox", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T19:25:03.938086Z", "id": "CVE-2026-0750", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:25:29.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0750", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T19:25:03.938086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:25:20.505Z"}}], "cna": {"title": "Payment bypass in Commerce Paybox", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Dave Hernandez (defr)"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Drupal", "product": "Drupal Commerce Paybox", "versions": [{"status": "affected", "version": "7-x-1.0", "versionType": "custom", "lessThanOrEqual": "7.x-1.5"}], "platforms": ["Drupal 7.x"], "packageName": "Commerce Paybox", "collectionURL": "https://www.drupal.org/project/commerce_paybox", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0750", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.<p>This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-01-28T18:53:42.343Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0750", "state": "PUBLISHED", "dateUpdated": "2026-01-28T19:25:29.820Z", "dateReserved": "2026-01-08T19:51:40.852Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-01-28T18:53:42.343Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:verifone:commerce_paybox:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "A6D94C51-6FD8-421F-97A8-5308BF1503FB", "versionEndIncluding": "7.x-1.5", "versionStartIncluding": "7-x-1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5."}, {"lang": "es", "value": "Vulnerabilidad de verificaci\u00f3n incorrecta de firma criptogr\u00e1fica en Drupal Commerce Paybox en Drupal 7.X permite la omisi\u00f3n de autenticaci\u00f3n. Este problema afecta a Drupal Commerce Paybox: desde 7-x-1.0 hasta 7.X-1.5."}], "id": "CVE-2026-0750", "lastModified": "2026-03-09T14:38:54.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mlhess@drupal.org", "type": "Secondary"}]}, "published": "2026-01-28T19:16:24.620", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability"}, {"source": "mlhess@drupal.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0750"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:41:46.817775+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal Commerce Paybox to the latest supported release that fixes the signature verification bug.", "Restrict access to the payment submission endpoint, ensuring only authenticated users with appropriate permissions can reach it.", "Implement proper cryptographic signature verification for all payment requests to prevent the bypass.", "Continuously monitor transaction logs for anomalous activity and conduct regular audits of e\u2011commerce operations."], "summary": {"action": "Patch Now", "impact": "Authentication Bypass (payment processing)"}, "threat_synthesis": {"affected_systems": "The issue affects Drupal Commerce Paybox 7-x-1.0 through 7.X-1.5, which is a module that extends Drupal 7 for e\u2011commerce transactions. The product is supplied by Verifone and is listed in the CPE catalog as verifone:commerce_paybox. Any installation of the affected module versions on a Drupal 7 site is vulnerable.", "description_and_impact": "Improper verification of a cryptographic signature in Drupal Commerce Paybox allows an attacker to forge payment requests and bypass the authentication controls that normally ensure that only legitimate users can submit transactions. This flaw is classified under CWE-347. The result is that an unauthenticated or unauthorized user can create or modify payment orders without the platform detecting the tampering, potentially causing unauthorized funds to be processed or legitimate funds to be diverted.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity risk. The EPSS score is under 1\u202f%, suggesting low exploitation probability at present, and the flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is via the web interface that accepts signed payment data; an attacker would need to obtain a valid cryptographic signature or forge one, but because the signature is not checked correctly, malicious requests can still reach the payment processing logic. If an attacker can construct such requests, the payment bypass can be performed without needing further privileges."}}}}, "created": "2026-01-29T09:08:45.903786+00:00", "updated": "2026-04-18T01:45:33.402794+00:00", "vendors": ["drupal", "drupal$PRODUCT$drupal_commerce_paybox"]}