CVE-2026-11462 - Vulnerability Details

- Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization

Description

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.

Published: 2026-06-07

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in the Stripe Plugin's StripeController.php callback within Chengdu Everbrite's BeikeShop up to 1.6.0.22. An attacker can manipulate the request argument sent to the callback endpoint, which bypasses the intended authorization checks. This allows an unauthenticated or unauthorized user to trigger actions that should otherwise be protected, potentially resulting in unauthorized access to sensitive data or undesired financial actions. The weakness is classified as an improper authorization flaw (CWE‑266/285).

Affected Systems

Chengdu Everbrite Network Technology publishes the BeikeShop e‑commerce platform. The vulnerability affects all versions of the platform up to and including 1.6.0.22 that use the Stripe Plugin. The specific component is the StripeController.php file within the plugin. Users running the affected releases should review the patch commit 6719e0fc690ea0a998452092862e0f0a17c65968 for remediation.

Risk and Exploitability

The CVSS score of 6.9 places the vulnerability in the medium severity range. No EPSS value is available, but the vulnerability is publicly advertised and can be exploited remotely through the exposed callback endpoint. The issue is not listed in the CISA KEV catalog, but its public exploitation potential and lack of mitigations means that organizations should treat it as a moderate risk that can lead to unauthorized data or transaction compromise. The attack vector is likely remote, requiring only the ability to send a crafted request to the callback URL.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Chengdu Everbrite Network Technology

BeikeShop

affected

Version	Status	Constraints
`1.6.0.0`	affected	—
`1.6.0.1`	affected	—
`1.6.0.2`	affected	—
`1.6.0.3`	affected	—
`1.6.0.4`	affected	—
`1.6.0.5`	affected	—
`1.6.0.6`	affected	—
`1.6.0.7`	affected	—
`1.6.0.8`	affected	—
`1.6.0.9`	affected	—
`1.6.0.10`	affected	—
`1.6.0.11`	affected	—
`1.6.0.12`	affected	—
`1.6.0.13`	affected	—
`1.6.0.14`	affected	—
`1.6.0.15`	affected	—
`1.6.0.16`	affected	—
`1.6.0.17`	affected	—
`1.6.0.18`	affected	—
`1.6.0.19`	affected	—
`1.6.0.20`	affected	—
`1.6.0.21`	affected	—
`1.6.0.22`	affected	—

No data.

Vendor Product Confidence Versions

Chengdu Everbrite Network Technology

Beike Shop

95%

Version	Status	Scheme	Platform
`1.6.0.0`	affected	generic	—
`1.6.0.1`	affected	generic	—
`1.6.0.2`	affected	generic	—
`1.6.0.3`	affected	generic	—
`1.6.0.4`	affected	generic	—
`1.6.0.5`	affected	generic	—
`1.6.0.6`	affected	generic	—
`1.6.0.7`	affected	generic	—
`1.6.0.8`	affected	generic	—
`1.6.0.9`	affected	generic	—
`1.6.0.10`	affected	generic	—
`1.6.0.11`	affected	generic	—
`1.6.0.12`	affected	generic	—
`1.6.0.13`	affected	generic	—
`1.6.0.14`	affected	generic	—
`1.6.0.15`	affected	generic	—
`1.6.0.16`	affected	generic	—
`1.6.0.17`	affected	generic	—
`1.6.0.18`	affected	generic	—
`1.6.0.19`	affected	generic	—
`1.6.0.20`	affected	generic	—
`1.6.0.21`	affected	generic	—
`1.6.0.22`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch commit 6719e0fc690ea0a998452092862e0f0a17c65968 or upgrade to a BeikeShop version that includes the fix.
Restrict the Stripe callback endpoint with authentication controls or network restrictions to ensure only authorized traffic can reach it.
If a patch cannot be applied immediately, block external access to the StripeController callback endpoint using firewall or web‑application firewall rules until remediation is in place.

Generated by OpenCVE AI on June 8, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/beikeshop/beikeshop/commit/6719e0fc690ea0a998452092862e0f0a17c65968
https://github.com/nuiifornet/BeikeShop-Vulnerability/blob/main/README.md
https://vuldb.com/cve/CVE-2026-11462
https://vuldb.com/submit/831466
https://vuldb.com/vuln/369082
https://vuldb.com/vuln/369082/cti

History

Mon, 08 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chengdu Everbrite Network Technology beike Shop
Vendors & Products		Chengdu Everbrite Network Technology beike Shop

Mon, 08 Jun 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.
Title		Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization
First Time appeared		Chengdu Everbrite Network Technology Chengdu Everbrite Network Technology beikeshop
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:chengdu_everbrite_network_technology:beikeshop::::::::
Vendors & Products		Chengdu Everbrite Network Technology Chengdu Everbrite Network Technology beikeshop
References		https://github.com/beikeshop/beikeshop/commit/6719e0fc690ea0a998452092862e0f0a17c65968 https://github.com/nuiifornet/BeikeShop-Vulnerability/blob/main/README.md https://vuldb.com/cve/CVE-2026-11462 https://vuldb.com/submit/831466 https://vuldb.com/vuln/369082 https://vuldb.com/vuln/369082/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Chengdu Everbrite Network Technology Beike Shop Beikeshop

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-07T22:00:13.496Z

Updated: 2026-06-07T22:00:13.496Z

Reserved: 2026-06-07T07:32:23.691Z

Link: CVE-2026-11462

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-07T23:16:41.040

Modified: 2026-06-07T23:16:41.040

Link: CVE-2026-11462

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T03:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object