CVE-2026-1153

MEDIUM

Technical-laohu Mpay < 1.2.4 - Missing Authorization

Title source: rule

Description

A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used.

References (4)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/bdkuzma/vuln/issues/18

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.341746

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.341746

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.735789

Scores

CVSS v3 4.3

EPSS 0.0005

EPSS Percentile 14.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-862 CWE-352

Status published

Affected Products (1)

technical-laohu/mpay < 1.2.4

Timeline

Published Jan 19, 2026

Tracked Since Feb 18, 2026