PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13461 PayRange CVE debrief

A critical vulnerability, CVE-2026-13461, was found in the PayRange app version 7.0.7. This vulnerability, when combined with an SSL bypass vulnerability, allows JavaScript injection into a WebView. The injected JavaScript can enable attackers to escape the WebView sandbox and perform dangerous actions on the user's device. The CVE record was published on 2026-07-09T17:16:56.997Z and was last modified on 2026-07-10T21:16:53.510Z.

Vendor
PayRange
Product
Unknown
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of PayRange version 7.0.7, as well as developers and security teams responsible for maintaining and securing mobile applications, should be aware of this vulnerability. Given the critical severity and potential impact, immediate attention is advised to assess exposure and apply necessary patches or mitigations.

Technical summary

CVE-2026-13461 is a critical vulnerability in the PayRange app version 7.0.7. The vulnerability allows for JavaScript injection into a WebView when coupled with an SSL bypass vulnerability. This injection enables attackers to escape the WebView sandbox and perform a number of dangerous actions on the user's device. The vulnerability has a CVSS score of 9.6 and is classified as CRITICAL. Users of PayRange version 7.0.7 should assess exposure and apply necessary patches or mitigations. The CVE record and NVD detail provide information on the vulnerability, but additional research may be necessary to fully understand the scope and impact.

Defensive priority

High

Recommended defensive actions

  • Immediately assess if the PayRange app version 7.0.7 is in use within the organization.
  • Apply the latest patch or update for the PayRange app to mitigate the vulnerability.
  • Implement additional monitoring to detect potential exploitation attempts.
  • Review and enforce secure coding practices for mobile application development.
  • Consider compensating controls, such as network monitoring and intrusion detection systems, to help detect and prevent exploitation.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. However, further details about the vendor, product, and affected versions are limited. Additional research and verification may be necessary to fully understand the scope and impact of this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T17:16:56.997Z and has not been modified since then.