CVE-2026-47198

HIGHPre-NVD 8.58.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
8.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Paymenter has URL parameter injection that bypasses paid plan limits at checkout

Summary

The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.

Technical Details

The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).

When processing this input:

  • Validation rules are dynamically generated *only* for keys explicitly defined by an extension's getCheckoutConfig() method. Any undefined keys injected into the query parameter bypass validation entirely.
  • The cart component (app/Livewire/Cart.php) stores all keys from checkout_config directly into the database without sanitation:
foreach ($item->checkout_config as $key => $value) {
       $service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
   }
  • During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.

Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.

Impact

This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.

Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.

CVSS v3
8.5
EG Score
8.5(low)
EPSS
KEV
Not listed

Published

June 30, 2026

Last Modified

June 30, 2026

Vendor Advisories for CVE-2026-47198(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 13× in last 7d / 13× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 05:14 UTCEG score recompute
  2. 2026-07-06 16:11 UTCEG score recompute
  3. 2026-07-06 03:14 UTCEG score recompute
  4. 2026-07-05 14:11 UTCEG score recompute
  5. 2026-07-05 01:14 UTCEG score recompute
  6. 2026-07-04 12:14 UTCEG score recompute
  7. 2026-07-03 23:15 UTCEG score recompute
  8. 2026-07-03 10:18 UTCEG score recompute
  9. 2026-07-02 21:20 UTCEG score recompute
  10. 2026-07-02 08:23 UTCEG score recompute
  11. 2026-07-01 19:25 UTCEG score recompute
  12. 2026-07-01 06:28 UTCEG score recompute
  13. 2026-06-30 17:31 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-47198?
CVE-2026-47198 is a high vulnerability published on June 30, 2026. Paymenter has URL parameter injection that bypasses paid plan limits at checkout Summary The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions…
When was CVE-2026-47198 disclosed?
CVE-2026-47198 was first published in the National Vulnerability Database on June 30, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-47198?
CVE-2026-47198 has a CVSS v4.0 base score of 8.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47198?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47198, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-47198

Explore →

Is Your Infrastructure Affected by CVE-2026-47198?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.