CVE-2026-1153
Unknown Unknown - Not Provided
Cross-Site Request Forgery in Technical-Laohu Mpay

Publication date: 2026-01-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1153
EUVD
EUVD-2026-3220
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
technical-laohu mpay From 1.2.0 (inc) to 1.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1153 is a Cross-Site Request Forgery (CSRF) vulnerability in the technical-laohu mpay system up to version 1.2.4, specifically affecting the account management deletion function. This vulnerability allows attackers to exploit an authenticated user's session to perform unauthorized and malicious actions without the user's consent or knowledge. It occurs because the application does not properly verify that requests are intentionally submitted by the authenticated user, enabling remote attackers to execute unauthorized operations. [1, 2, 3]

Impact Analysis

This vulnerability can lead to unauthorized account modifications, leakage of user information, and inadvertent triggering of sensitive operations. Attackers can exploit authenticated users' sessions remotely to perform malicious actions without their consent, compromising the integrity of the affected system. Such impacts may result in account tampering and potential misuse of user data. [1, 2, 3]

Detection Guidance

Detection of this CSRF vulnerability involves monitoring for unauthorized or unexpected requests to the account management deletion function of the mpay system version 1.2.4. Since the vulnerability exploits authenticated user sessions, network monitoring tools can be used to detect suspicious POST requests lacking proper CSRF tokens or originating from unexpected sources. Specific commands are not provided in the resources, but general approaches include inspecting HTTP request headers for missing or invalid CSRF tokens, checking Referer or Origin headers, and analyzing logs for unusual account deletion requests. Additionally, reviewing the application code or traffic for absence of CSRF protections like tokens or SameSite cookie attributes can help identify the vulnerability. [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protections such as verifying the request source using headers like Referer or Origin, adding CSRF tokens to sensitive requests, setting the SameSite attribute on cookies to restrict cross-site requests, and enforcing secondary authentication for sensitive actions like account deletion. Since no known countermeasures or official patches are available, replacing the affected product with an alternative is also suggested to avoid risk. [2, 3]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized actions that could lead to user information leakage and account tampering, it may indirectly affect compliance by compromising data integrity and user privacy. No direct statements about regulatory compliance impact are available. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart