{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4547", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-21T16:48:51.928Z", "datePublished": "2026-03-22T13:02:42.292Z", "dateUpdated": "2026-03-23T16:32:58.898Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T13:02:42.292Z"}, "title": "mickasmt next-saas-stripe-starter Checkout generate-user-stripe.ts generateUserStripe logic error", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-840", "lang": "en", "description": "Business Logic Errors"}]}], "affected": [{"vendor": "mickasmt", "product": "next-saas-stripe-starter", "versions": [{"version": "1.0.0", "status": "affected"}], "modules": ["Checkout Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in mickasmt next-saas-stripe-starter 1.0.0. Affected is the function generateUserStripe of the file actions/generate-user-stripe.ts of the component Checkout Handler. The manipulation of the argument priceId leads to business logic errors. The attack may be initiated remotely."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-21T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-21T17:54:10.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ghufran Khan (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352374", "name": "VDB-352374 | mickasmt next-saas-stripe-starter Checkout generate-user-stripe.ts generateUserStripe logic error", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352374", "name": "VDB-352374 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.774804", "name": "Submit #774804 | mickasmt next-saas-stripe-starter 1.0.0 Business Logic Errors", "tags": ["third-party-advisory"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:32:49.739770Z", "id": "CVE-2026-4547", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:32:58.898Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "mickasmt next-saas-stripe-starter Checkout generate-user-stripe.ts generateUserStripe logic error", "credits": [{"lang": "en", "type": "reporter", "value": "Ghufran Khan (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "mickasmt", "modules": ["Checkout Handler"], "product": "next-saas-stripe-starter", "versions": [{"status": "affected", "version": "1.0.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-21T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-21T17:54:10.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352374", "name": "VDB-352374 | mickasmt next-saas-stripe-starter Checkout generate-user-stripe.ts generateUserStripe logic error", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352374", "name": "VDB-352374 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.774804", "name": "Submit #774804 | mickasmt next-saas-stripe-starter 1.0.0 Business Logic Errors", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in mickasmt next-saas-stripe-starter 1.0.0. Affected is the function generateUserStripe of the file actions/generate-user-stripe.ts of the component Checkout Handler. The manipulation of the argument priceId leads to business logic errors. The attack may be initiated remotely."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-840", "description": "Business Logic Errors"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T13:02:42.292Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4547", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:32:49.739770Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T16:32:55.527Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-4547", "state": "PUBLISHED", "dateUpdated": "2026-03-22T13:02:42.292Z", "dateReserved": "2026-03-21T16:48:51.928Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-22T13:02:42.292Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in mickasmt next-saas-stripe-starter 1.0.0. Affected is the function generateUserStripe of the file actions/generate-user-stripe.ts of the component Checkout Handler. The manipulation of the argument priceId leads to business logic errors. The attack may be initiated remotely."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en mickasmt next-saas-stripe-starter 1.0.0. Afectada est\u00e1 la funci\u00f3n generateUserStripe del archivo actions/generate-user-stripe.ts del componente Gestor de Pagos. La manipulaci\u00f3n del argumento priceId conduce a errores de l\u00f3gica de negocio. El ataque puede ser iniciado remotamente."}], "id": "CVE-2026-4547", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-22T14:16:34.610", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352374"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352374"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.774804"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-840"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "next-saas-stripe-starter", "source": "cna", "vendor": "mickasmt"}, "product": "next-saas-stripe-starter", "vendor": "mickasmt"}], "analysis": {"en": {"generated_at": "2026-03-22T14:45:22.254744+00:00", "value": {"mitigation_remediation": ["Update mickasmt next-saas-stripe-starter to a patched version if one is available.", "If no patch exists, modify the generateUserStripe routine to validate the priceId against a whitelist of legitimate Stripe price identifiers before processing.", "Log attempts to use invalid priceId values and alert administrators."], "summary": {"action": "Apply Patch", "impact": "Business Logic Error"}, "threat_synthesis": {"affected_systems": "The affected product is mickasmt next-saas-stripe-starter, version 1.0.0. This is a SaaS starter kit for integrating Stripe payment logic.", "description_and_impact": "The vulnerability resides in the generateUserStripe function of the Checkout Handler in mickasmt next-saas-stripe-starter 1.0.0. By manipulating the priceId input, an attacker can cause the function to produce incorrect or unintended Stripe accounts, leading to business logic errors that may affect billing, subscription charges, or financial transactions. The flaw is an unchecked parameter validation as outlined by CWE\u2011840.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no current known exploit but still possible. The flaw can be exploited remotely by feeding a crafted priceId to the generateUserStripe endpoint, potentially leading to unauthorized account creation or pricing manipulation. The risk is moderate but could have financial impact if exploited."}}}}, "created": "2026-03-23T09:46:29.943242+00:00", "updated": "2026-03-25T14:46:28.701820+00:00", "vendors": ["mickasmt", "mickasmt$PRODUCT$next-saas-stripe-starter"]}