Description
CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networks or IP ranges; enforce strict input validation at the application layer; and/or monitor transaction logs for anomalies or suspicious activity. These mitigations reduce exposure but do not fully eliminate the vulnerability.
Published: 2026-02-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Transaction Manipulation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper input validation in the transaction API of CediPay, classified as CWE-20. Attackers can bypass the API’s checks and send crafted transaction requests that are accepted by the application. Based on the description, it is inferred that this can allow the creation of unauthorized transfers of cryptocurrency to fiat, modification of transaction amounts, or execution of fraudulent operations that lead to financial loss.

Affected Systems

CediPay, developed by XpertForexTradeInc., is affected in all releases prior to version 1.2.3. The fix is implemented in version 1.2.3 and all subsequent releases are presumed patched.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity flaw, while the EPSS score of <1% implies a very low likelihood of exploitation at the time of evaluation. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an attacker who can reach the transaction API endpoint—either publicly exposed or within a trusted network—constructing malicious payloads to circumvent the missing validation. Though the probability of exploitation remains low, the potential for significant fraudulent activity and financial loss makes the risk substantial.

Generated by OpenCVE AI on April 18, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CediPay to version 1.2.3 or later promptly to apply the official fix.
  • If an upgrade cannot be performed immediately, restrict API access to trusted networks or specific IP ranges to limit exposure.
  • Enforce strict input validation at the application layer for all transaction requests to prevent malformed data from being processed.
  • Continuously monitor transaction logs for anomalies or suspicious activity and investigate promptly.

Generated by OpenCVE AI on April 18, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wvr6-395c-5pxr CediPay Affected by Improper Input Validation in Payment Processing
History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Xpertforextradeinc
Xpertforextradeinc cedipay
Vendors & Products Xpertforextradeinc
Xpertforextradeinc cedipay

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networks or IP ranges; enforce strict input validation at the application layer; and/or monitor transaction logs for anomalies or suspicious activity. These mitigations reduce exposure but do not fully eliminate the vulnerability.
Title CediPay Affected by Improper Input Validation in Payment Processing
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xpertforextradeinc Cedipay
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:23:44.840Z

Reserved: 2026-02-10T18:01:31.900Z

Link: CVE-2026-26063

cve-icon Vulnrichment

Updated: 2026-02-19T20:58:47.679Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T20:25:41.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses