Aikido Intel
Secure My Code
Intel

AIKIDO-2026-11082

globalpayments/php-sdk is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

35

Low Risk

This Affects:

PHPglobalpayments/php-sdk
14.1.3 - 14.1.15
Fixed in 14.1.16
Are you affected? Scan for Free

TL;DR

Affected versions are vulnerable to Cross-Site Scripting (XSS) in the hosted payment page installments filtering example. The example concatenates the pay-by-link URL returned in the API response directly into an HTML anchor tag without context-aware escaping, so attacker-influenced URL content can break out of the attribute and be interpreted as markup or script when the example code is reused in a web context. The patched version routes the URL through htmlspecialchars with ENT_QUOTES before rendering, treating the value as data rather than markup.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

globalpayments/php-sdk is vulnerable to Cross-Site Scripting (XSS) in versions 14.1.3 - 14.1.15.

How to fix this

Upgrade the globalpayments/php-sdk library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done