A vulnerability was found in AojiaoZero Antaris 1.0 and classified as critical. This affects the function
_rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection.
This vulnerability was named CVE-2026-15502. The attack may be performed from remote. There is no available exploit.
The vendor was contacted early about this disclosure but did not respond in any way.