SQL Injection Vulnerability in AojiaoZero Antaris PayPal Payment Handler
CVE-2026-15502

5.3MEDIUM

Key Information:

Vendor

Aojiaozero

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-15502?

AojiaoZero Antaris 1.0 contains a vulnerability in the PayPal IPN Payment Handler's _rewardPurchase function located in /ipn.php. An attacker can exploit this vulnerability by manipulating the item_number argument, leading to SQL injection. This type of attack allows remote adversaries to execute arbitrary SQL commands, which can compromise the confidentiality and integrity of the database. Despite early notifications to the vendor, there has been no public acknowledgment or resolution regarding this vulnerability.

Affected Version(s)

Antaris 1.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dest1ny_2 (VulDB User)
VulDB CNA Team
.