CVE-2026-54810 Nexi Payments CVE debrief

Who should care

Administrators and security teams responsible for managing and securing payment processing systems, particularly those using Nexi XPay, should be aware of this vulnerability. Additionally, security professionals and researchers monitoring for potential threats in payment processing systems should also take note.

Technical summary

The CVE-2026-54810 vulnerability is caused by a Missing Authorization issue in Nexi Payments' Nexi XPay plugin. This allows attackers to exploit incorrectly configured access control security levels. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The CWE associated with this vulnerability is CWE-862.

Defensive priority

High

Recommended defensive actions

• Review and update Nexi XPay to the latest version if available.
• Verify access control configurations to ensure they are properly set up.
• Monitor for suspicious activity related to Nexi XPay.
• Implement additional security measures to protect payment processing systems.
• Consider consulting vendor documentation or support for mitigation guidance.
• Regularly review and update payment processing systems to prevent similar vulnerabilities.
• Isolate affected systems if immediate patching is not possible.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail can be found at [cve-org] and [nvd] respectively. Additional information is available at [ref-4].

Official resources