search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PayRange Android app version 7.0.7 contains multiple vulnerabilities

Vulnerability Note VU#152953

Original Release Date: 2026-07-09 | Last Revised: 2026-07-09

Overview

PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store.

Description

A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app.

The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates):

  • Common Name ends with "payrange.com"
  • Common Name contains "stripe.com"
  • Common Name contains "fetlifestatus.com" AND any of these conditions are true:
  • Issuer Common Name is "R10"
  • Issuer Common Name is "R3"
  • Issuer Common Name contains "Network Solutions"

The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers.

Impact

An attacker may be able to intercept any information they can convince the user to send through the app. If the user is a machine operator, the injected JavaScript code can also connect to PayRange hardware and issue commands with the full permissions of the operator.

Solution

Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. Apply the latest software updates provided by your hardware or software vendor as they become available.

Acknowledgements

Thanks to Tahi Wilton Geary for reporting this vulnerability. This document was written by Bob Kemerer.

Vendor Information

152953
 

PayRange Unknown

Notified:  2026-05-18 Updated: 2026-07-09

CVE-2026-13461 Unknown
CVE-2026-13462 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2026-13461 CVE-2026-13462
API URL: VINCE JSON | CSAF
Date Public: 2026-07-09
Date First Published: 2026-07-09
Date Last Updated: 2026-07-09 17:14 UTC
Document Revision: 2

Sponsored by CISA.