By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-0750

Signature Forgery
Affects
Commerce Paybox
in
Drupal 7
No items found.
Versions
>=7.1.0 <=7.1.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Commerce Paybox contributed module allows users to pay through the commercial Paybox service.

The compromised module allows an attacker to craft a return URL to mark a transaction as successful without a real payment. The fix ensures that this is no longer possible.

Signature forgery is a vulnerability that allows attackers to create fraudulent digital signatures that appear legitimate, often by exploiting weaknesses in cryptographic algorithms, improper verification processes (such as CWE-347: Improper Verification of Cryptographic Signature), or flaws in key management and signature validation. This can occur in contexts like JWTs, XML documents, or API tokens where signatures are used to ensure integrity and authenticity, enabling attackers to tamper with data or impersonate entities without the private key. Additional information is available at OWASP: https://owasp.org/Top10/A02_2021-Cryptographic_Failures.

Ramifications include:

  • Data tampering
  • Unauthorized access
  • Identity spoofing
  • Malware injection
  • Trust erosion, and
  • System compromise.

This issue affects all versions of Drupal 7 Commerce Paybox including and below 7.1.5; it is patched  in Commerce Paybox NES version 7.1.6.

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in all versions of the Commerce Paybox module equal to or lower than 7.1.5.

This fix adds Paybox signature verification on the offsite return using the Paybox public key  (the sig parameter). If the IPN hasn’t confirmed the payment and the gateway returned a  non-00000 error, the redirect is rejected.

Steps To Reproduce

1. On a vanilla Drupal 7 instance, install and enable a susceptible version of Commerce Paybox (any version under 7.1.6) with its basic dependencies:

ddev composer require drupal/commerce drupal/entity drupal/rules drupal/views 
ddev drush en -y commerce commerce_ui commerce_product commerce_order commerce_customer commerce_payment commerce_checkout commerce_cart commerce_paybox

2. For local testing only, modify the module to add a mock return flow (not present in stock Commerce Paybox). If you add a commerce_paybox_mock_enabled variable in your local patch, enable it and clear caches:

ddev drush vset commerce_paybox_mock_enabled 1 && ddev drush cc all

3. Whitelist local IPs:

ddev drush php-eval 'variable_set("commerce_paybox_paybox_servers", array("127.0.0.1","::1","::ffff:127.0.0.1","192.168.97.5"));'

4. Create a pending transaction:

  • Add a simple product and go through checkout, selecting Paybox (mock keeps you on-site). Stop after “Checkout complete” — the payment stays PENDING.
  • In /admin/commerce/orders, open the order → Payments, and note the txnid (or order number if using order-number mode).

5. Trigger the forged return flow (vulnerable behavior) 

Addressing the Issue

Users of the affected component(s) can address this exploit in one of the following ways:

  • Remove/disable the Paybox payment method from checkout so orders can’t complete through it.
  • Restrict the callback endpoints (/commerce_paybox/auto and the return URL) at the reverse proxy/WAF to only known Paybox IPs. Note that this reduces the attack surface but is not a fix.
  • Add a temporary reverse-proxy rule to drop callbacks with missing/invalid sig parameters. Note that this reduces the attack surface but is not a fix.
  • The only true mitigations are to disable the module and patching it. Consider signing up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

  • David Hernández (defr)
Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2026-0749
CVE-2026-0748
CVE-2025-31675
CVE-2026-1556
CVE-2025-13083
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2026-0750
PROJECT Affected
Commerce Paybox
Versions Affected
>=7.1.0 <=7.1.5
NES Versions Affected
Published date
January 13, 2026
≈ Fix date
May 28, 2025
Fixed in
NES for Drupal 7
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Signature Forgery
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.