CVE-2026-13461
Received Received - Intake

JavaScript Injection in PayRange App via SSL Bypass

Vulnerability report for CVE-2026-13461, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: CERT/CC

Description

When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
payrange payrange 7.0.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13461 is a vulnerability in the PayRange Android app version 7.0.7 that allows an attacker to inject JavaScript into a WebView component. This injection enables the attacker to escape the WebView sandbox, which normally restricts what code can do, and perform dangerous actions on the user's device.

The attack typically involves an on-path interception where the attacker redirects traffic to a device they control and injects malicious JavaScript content into the WebView. This vulnerability is related to another SSL bypass issue that allows invalid SSL certificates to be accepted, facilitating the interception.

Impact Analysis

This vulnerability can lead to several serious impacts including unauthorized actions on your device such as credential harvesting, making malicious requests, and accessing data without permission.

Because the attacker can escape the WebView sandbox, they may execute arbitrary code or commands, potentially compromising the integrity, confidentiality, and availability of your device and data.

Detection Guidance

This vulnerability involves JavaScript injection into a WebView in the PayRange app version 7.0.7, exploited via an on-path interception attack that redirects traffic to a controlled device. Detection can focus on monitoring network traffic for signs of SSL bypass or interception, such as invalid SSL certificates or unexpected redirects.

Commands to detect suspicious network activity might include using tools like tcpdump or Wireshark to capture and analyze traffic for invalid SSL certificates or unusual redirects targeting the PayRange app.

  • Use tcpdump to capture traffic on the device: tcpdump -i <interface> port 443
  • Use OpenSSL to check SSL certificate validity: openssl s_client -connect <target>:443
  • Monitor device logs or app network logs for errors related to SSL validation failures or unexpected JavaScript execution in WebViews.

Additionally, static or dynamic analysis tools could be used to detect injection points or suspicious JavaScript execution within the app, but specific commands for this are not provided.

Mitigation Strategies

Immediate mitigation steps include applying the latest updates or patches provided by the hardware or software vendor to address this vulnerability.

Since the vulnerability exploits SSL bypass and JavaScript injection in WebViews, users should avoid connecting to untrusted networks where on-path interception is possible.

From a development and architectural perspective, mitigation involves avoiding dynamic code generation, enforcing strict input validation with allowlists, and sandboxing code execution environments to prevent code injection attacks.

Operationally, monitoring for invalid SSL certificates and ensuring proper SSL validation can reduce the risk of exploitation.

Compliance Impact

The vulnerability allows attackers to inject JavaScript into the PayRange app's WebView, escape the sandbox, and perform malicious actions such as credential harvesting and unauthorized data access. Such actions can lead to breaches of confidentiality and unauthorized disclosure of personal or sensitive data.

These impacts can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and sensitive health information. Unauthorized data access and credential theft could result in violations of data protection requirements, potentially leading to legal and regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart