Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by wevm
CVE-2026-34209 (GCVE-0-2026-34209)
Vulnerability from nvd – Published: 2026-03-31 14:10 – Updated: 2026-04-02 15:13
VLAI
Title
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality
Summary
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wevm/mppx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/wevm/mppx/commit/94088246ee18f… | x_refsource_MISC |
| https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:13:21.208040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:13:32.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mppx",
"vendor": "wevm",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"\u003c\" instead of \"\u003c=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:10:46.416Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"
},
{
"name": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"
},
{
"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"
}
],
"source": {
"advisory": "GHSA-mv9j-8jvg-j8mr",
"discovery": "UNKNOWN"
},
"title": "mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34209",
"datePublished": "2026-03-31T14:10:46.416Z",
"dateReserved": "2026-03-26T15:57:52.324Z",
"dateUpdated": "2026-04-02T15:13:32.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34210 (GCVE-0-2026-34210)
Vulnerability from nvd – Published: 2026-03-31 14:10 – Updated: 2026-03-31 18:53
VLAI
Title
mppx has Stripe charge credential replay via missing idempotency check
Summary
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wevm/mppx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/wevm/mppx/commit/b2b1a0b60506f… | x_refsource_MISC |
| https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:50:24.072789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:53:01.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mppx",
"vendor": "wevm",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe\u0027s Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:10:10.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw"
},
{
"name": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994"
},
{
"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"
}
],
"source": {
"advisory": "GHSA-8mhj-rffc-rcvw",
"discovery": "UNKNOWN"
},
"title": "mppx has Stripe charge credential replay via missing idempotency check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34210",
"datePublished": "2026-03-31T14:10:10.463Z",
"dateReserved": "2026-03-26T15:57:52.324Z",
"dateUpdated": "2026-03-31T18:53:01.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34209 (GCVE-0-2026-34209)
Vulnerability from cvelistv5 – Published: 2026-03-31 14:10 – Updated: 2026-04-02 15:13
VLAI
Title
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality
Summary
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wevm/mppx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/wevm/mppx/commit/94088246ee18f… | x_refsource_MISC |
| https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:13:21.208040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:13:32.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mppx",
"vendor": "wevm",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"\u003c\" instead of \"\u003c=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:10:46.416Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"
},
{
"name": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"
},
{
"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"
}
],
"source": {
"advisory": "GHSA-mv9j-8jvg-j8mr",
"discovery": "UNKNOWN"
},
"title": "mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34209",
"datePublished": "2026-03-31T14:10:46.416Z",
"dateReserved": "2026-03-26T15:57:52.324Z",
"dateUpdated": "2026-04-02T15:13:32.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34210 (GCVE-0-2026-34210)
Vulnerability from cvelistv5 – Published: 2026-03-31 14:10 – Updated: 2026-03-31 18:53
VLAI
Title
mppx has Stripe charge credential replay via missing idempotency check
Summary
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wevm/mppx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/wevm/mppx/commit/b2b1a0b60506f… | x_refsource_MISC |
| https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:50:24.072789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:53:01.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mppx",
"vendor": "wevm",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe\u0027s Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:10:10.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw"
},
{
"name": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994"
},
{
"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"
}
],
"source": {
"advisory": "GHSA-8mhj-rffc-rcvw",
"discovery": "UNKNOWN"
},
"title": "mppx has Stripe charge credential replay via missing idempotency check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34210",
"datePublished": "2026-03-31T14:10:10.463Z",
"dateReserved": "2026-03-26T15:57:52.324Z",
"dateUpdated": "2026-03-31T18:53:01.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}