External risk intelligence

PayRange App WebView JavaScript Injection Escape

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-13461

This vulnerability resides within a mobile application's WebView sandbox. Exploitation requires the victim to use a specific client-side application on their personal device. It is not an internet-facing service, gateway, or network infrastructure component, making public internet exposure in a standard deployment context very unlikely.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a mobile application that could allow malicious code to execute and perform dangerous actions on a user's device, particularly when combined with another SSL bypass issue. While the specific technology is a mobile app component, the core concern is the potential for unauthorized actions if a user interacts with a compromised version. The main concern is confirming relevance and exposure.

  • Malicious code could run on user devices.
  • Potential for dangerous actions on a user's device.
  • Confirm relevance and exposure to mobile app users.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by leveraging a separate SSL bypass vulnerability to inject malicious JavaScript into a WebView component within the PayRange app. This injection would allow the attacker to break out of the WebView's security restrictions, potentially leading to unauthorized actions on the user's device.

  • Requires an SSL bypass vulnerability.
  • Triggered by injecting JavaScript into WebView.
  • Risk of dangerous device actions.

Live Threat

Current exploitation, exposure, and threat context

When combined with an SSL bypass vulnerability, this flaw could allow an attacker to inject JavaScript into a mobile application's WebView. This could lead to escaping the sandbox and performing unauthorized actions on the user's device.

  • User's device actions
  • JavaScript injection
  • Unauthorized device operations

Operational Fix

Recommended remediation, mitigation, and detection steps

The discovery of JavaScript injection within the PayRange app's WebView, particularly when combined with SSL bypass, indicates that mobile application owners and platform teams should lead the response. The initial step involves identifying all instances of the affected application, assessing their reachability and criticality, and then assigning ownership for remediation planning based on the assessed risk.

  • Owners: Mobile application owners.
  • Verify: App reachability and device criticality.
  • Action: Plan targeted remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the PayRange app?

PayRange is a mobile application platform frequently used for managing and processing digital payments, often in unattended retail environments like vending machines or laundry facilities. It utilizes a WebView component, which is essentially an internal browser engine that allows the app to display web content seamlessly within its interface, bridging the gap between mobile app functionality and web-based services.

What does CVE-2026-13461 mean for the WebView sandbox?

This vulnerability involves an Improper Control of Generation of Code, specifically allowing JavaScript injection. Normally, a WebView sandbox restricts web code from interacting directly with the mobile device's operating system. CVE-2026-13461 permits an attacker to break out of these security boundaries, enabling the injected script to execute unauthorized and potentially harmful actions directly on the underlying device.

How is this WebView sandbox escape triggered?

An attacker must successfully execute an SSL bypass first to intercept or manipulate the app's traffic. Once that is achieved, they can inject malicious JavaScript into the WebView. Simply using the PayRange app under normal conditions does not trigger the bug; it requires this specific combination of traffic manipulation and malicious script delivery to bypass the intended security controls.

Is my network at risk from CVE-2026-13461?

Halo Surface Signal indicates that exploitation is very unlikely in standard network infrastructure. Because the vulnerability exists within a local client-side mobile application on an individual's device, it is not an internet-facing gateway or server-side service. The risk is localized to the specific mobile device running the affected version of the application rather than the broader network environment.

What should I do if I manage PayRange app deployments?

If you oversee this technology, first perform an inventory to identify all devices and users running version 7.0.7 of the PayRange app. Since remediation requires coordinated planning, assess the criticality of the data accessed by the app on those devices. Focus your initial efforts on identifying organizational owners who can prioritize and track the update process once a secure version becomes available.

References