CVE-2026-1153
Cross-Site Request Forgery in Technical-Laohu Mpay
Publication date: 2026-01-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| technical-laohu | mpay | From 1.2.0 (inc) to 1.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized actions that could lead to user information leakage and account tampering, it may indirectly affect compliance by compromising data integrity and user privacy. No direct statements about regulatory compliance impact are available. [1, 2, 3]
Can you explain this vulnerability to me?
CVE-2026-1153 is a Cross-Site Request Forgery (CSRF) vulnerability in the technical-laohu mpay system up to version 1.2.4, specifically affecting the account management deletion function. This vulnerability allows attackers to exploit an authenticated user's session to perform unauthorized and malicious actions without the user's consent or knowledge. It occurs because the application does not properly verify that requests are intentionally submitted by the authenticated user, enabling remote attackers to execute unauthorized operations. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account modifications, leakage of user information, and inadvertent triggering of sensitive operations. Attackers can exploit authenticated users' sessions remotely to perform malicious actions without their consent, compromising the integrity of the affected system. Such impacts may result in account tampering and potential misuse of user data. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this CSRF vulnerability involves monitoring for unauthorized or unexpected requests to the account management deletion function of the mpay system version 1.2.4. Since the vulnerability exploits authenticated user sessions, network monitoring tools can be used to detect suspicious POST requests lacking proper CSRF tokens or originating from unexpected sources. Specific commands are not provided in the resources, but general approaches include inspecting HTTP request headers for missing or invalid CSRF tokens, checking Referer or Origin headers, and analyzing logs for unusual account deletion requests. Additionally, reviewing the application code or traffic for absence of CSRF protections like tokens or SameSite cookie attributes can help identify the vulnerability. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF protections such as verifying the request source using headers like Referer or Origin, adding CSRF tokens to sensitive requests, setting the SameSite attribute on cookies to restrict cross-site requests, and enforcing secondary authentication for sensitive actions like account deletion. Since no known countermeasures or official patches are available, replacing the affected product with an alternative is also suggested to avoid risk. [2, 3]