SQL Injection Vulnerability in AojiaoZero Antaris PayPal Payment Handler
CVE-2026-15502
5.3MEDIUM
What is CVE-2026-15502?
AojiaoZero Antaris 1.0 contains a vulnerability in the PayPal IPN Payment Handler's _rewardPurchase function located in /ipn.php. An attacker can exploit this vulnerability by manipulating the item_number argument, leading to SQL injection. This type of attack allows remote adversaries to execute arbitrary SQL commands, which can compromise the confidentiality and integrity of the database. Despite early notifications to the vendor, there has been no public acknowledgment or resolution regarding this vulnerability.
Affected Version(s)
Antaris 1.0
