cvedb.io
CVE-2026-34210
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2026-03-31T15:16:18.207 · Last modified 2026-06-17T10:38:39.450

Summary

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

Affected products

wevm — mppx

Does this affect you?

Add your gear to cvedb and we'll alert you only when wevm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.