CVE-2026-40481

UNKNOWN 0.0

monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.

CWE	CWE-400
Vendor	monetr
Product	monetr
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for monetr monetr

Be the first to know when new unknown vulnerabilities affecting monetr monetr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

monetr / monetr

< 1.12.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2 github.com: https://github.com/monetr/monetr/releases/tag/v1.12.4