What is CVE-2026-33661?

CVE-2026-33661 is a high-severity vulnerability in Yansongda Pay, classified under Authentication Bypass by Spoofing. CVSS score: 8.6/10. Published 2026-03-26.

How severe is CVE-2026-33661?

High severity. CVSS v3 base score is 8.6 out of 10.

Vulnerability in Yansongda Pay

CVE-2026-33661

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the `verify_wechat_sign()` function in `src/Functions.php` unconditionally skips all signature verification when the PSR-7 r…

EPSS: 0.000 (3.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N.

Affected products

Yansongda Pay — versions < 3.7.20

Weakness classification (CWE)

CWE-290 — Authentication Bypass by Spoofing

References

https://github.com/yansongda/pay/security/advisories/GHSA-q938-ghwv-8gvc (x_refsource_CONFIRM)
https://github.com/yansongda/pay/commit/26987ebf789f1e7f0a85febb640986ab4289fd7f (x_refsource_MISC)
https://github.com/yansongda/pay/releases/tag/v3.7.20 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33661?: CVE-2026-33661 is a high-severity vulnerability in Yansongda Pay, classified under Authentication Bypass by Spoofing. CVSS score: 8.6/10. Published 2026-03-26.
How severe is CVE-2026-33661?: High severity. CVSS v3 base score is 8.6 out of 10.