CVE-2026-13222
MediumCVSS 6.3Summary
The payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
Risk Assessment
The organization is exposed to financial losses and loss of access control, as an attacker can gain unauthorized access to multiple tickets without paying the appropriate costs.
Recommendation
Implement a mechanism to verify the uniqueness of payment status responses, such as checking the transaction ID or token, to ensure the response corresponds to the specific payment.
Original NVD description (English source)
Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

