{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40481", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-17T22:54:57.545Z", "dateUpdated": "2026-04-20T13:36:05.862Z"}, "containers": {"cna": {"title": "monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2"}, {"name": "https://github.com/monetr/monetr/releases/tag/v1.12.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/monetr/monetr/releases/tag/v1.12.4"}], "affected": [{"vendor": "monetr", "product": "monetr", "versions": [{"version": "< 1.12.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T22:54:57.545Z"}, "descriptions": [{"lang": "en", "value": "monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4."}], "source": {"advisory": "GHSA-v7xq-3wx6-fqc2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40481", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:24:58.574414Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:36:05.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40481", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:24:58.574414Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:32:35.321Z"}}], "cna": {"title": "monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation", "source": {"advisory": "GHSA-v7xq-3wx6-fqc2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "monetr", "product": "monetr", "versions": [{"status": "affected", "version": "< 1.12.4"}]}], "references": [{"url": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2", "name": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/monetr/monetr/releases/tag/v1.12.4", "name": "https://github.com/monetr/monetr/releases/tag/v1.12.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T22:54:57.545Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40481", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:36:05.862Z", "dateReserved": "2026-04-13T19:50:42.114Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T22:54:57.545Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monetr:monetr:*:*:*:*:*:*:*:*", "matchCriteriaId": "47E7AFEC-B13C-4F77-9CCD-1FD34D039962", "versionEndExcluding": "1.12.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4."}], "id": "CVE-2026-40481", "lastModified": "2026-04-24T16:57:39.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T23:16:12.457", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/monetr/monetr/releases/tag/v1.12.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "monetr", "source": "cna", "vendor": "monetr"}, "product": "monetr", "vendor": "monetr"}], "analysis": {"en": {"generated_at": "2026-04-18T08:51:06.136542+00:00", "value": {"mitigation_remediation": ["Upgrade to monetr version 1.12.4 or later, where the request body buffering before signature validation has been removed.", "If upgrading is not immediately possible, configure an upstream proxy or load balancer to enforce a strict maximum request body size, such as setting \"client_max_body_size\" in Nginx or the \"MaxRequestBodySize\" in IIS, to prevent large payloads from reaching the application.", "Consider disabling the Stripe webhook endpoint if the feature is not required for the deployment, or replace it with a more secure integration that performs signature validation before reading the request body."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects monetr monetr deployments using versions 1.12.3 and earlier. Attackers can target any instance that exposes the Stripe webhook and has the bug present.", "description_and_impact": "A vulnerability in the public Stripe webhook endpoint of monetr buffers the entire request body into memory before validating the Stripe signature. This allows a remote unauthenticated attacker to send oversized POST payloads that trigger uncontrolled memory growth, leading to denial of service. The weakness is reflected in CWE\u2011400 and is limited to applications that have Stripe webhooks enabled.", "risk_and_exploitability": "With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score is currently unavailable, but the impact is significant for any exposed webhook. It is not listed in the CISA KEV catalog. Without defensive controls, the flaw can be exploited remotely by an unauthenticated user, and the denial of service can affect application availability."}}}}, "created": "2026-04-18T09:00:05.894009+00:00", "updated": "2026-04-20T14:59:25.745320+00:00", "vendors": ["monetr", "monetr$PRODUCT$monetr"]}