Skip to main content

CISA warns PayRange Android 7.0.7 has TLS and WebView issues

PayRange, a mobile payment app, has two vulnerabilities in version 7.0.7 that affect how the app handles SSL certificates in application WebViews and how JavaScript input is processed. The issues enable an on-path interception scenario that can lead to interception of user-provided information and, in some cases, execution of actions with the permissions of a machine operator.

CVE-2026-13462 is a vulnerability in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. CVE-2026-13461 is a second vulnerability that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform dangerous actions on the user’s device. The app bypasses Android’s SSL trust chain and accepts certificates matching rule sets based on Common Name and issuer details, including certificates with self-signed issuers. The certificate acceptance rules are: Common Name ends with “payrange.com”; Common Name contains “stripe.com”; and Common Name contains “fetlifestatus.com” plus any of these conditions: Issuer Common Name is “R10”, Issuer Common Name is “R3”, or Issuer Common Name contains “Network Solutions.” The described attack vector is on-path interception in which an attacker can direct traffic intended for a legitimate server to a device they control, negotiate a TLS connection using any trusted certificate that matches the rule set, inject content into the WebView, and harvest credentials, issue malicious requests, and read data entered by the user, including exchanges with PayRange and Stripe servers.

An attacker may be able to intercept any information they can convince the user to send through the app. If the user is a machine operator, injected JavaScript code can connect to PayRange hardware and issue commands with the full permissions of the operator.

Coordination with the vendor was not completed. The guidance provided is to apply the latest software updates provided by the hardware or software vendor as they become available.

Thanks to Tahi Wilton Geary for reporting the vulnerability. The document was written by Bob Kemerer. Reference information in the advisory includes https://payrange.com/ and the Google Play listing at https://play.google.com/store/apps/details?id=com.payrange.payrange&hl=en-US. The advisory lists CVE IDs as CVE-2026-13462 and CVE-2026-13461, with dates public, first published, and last updated shown as 2026-07-09 and last updated time as 2026-07-09 17:14 UTC.