This vulnerability (CVE-2026-49064) in Stiofan GetPaid is classified under CWE-201, which involves the insertion of sensitive information into sent data. This flaw allows unauthorized retrieval of embedded sensitive data, potentially exposing confidential information. The CVSS 3.1 vector indicates the vulnerability is remotely exploitable without privileges or user interaction, with high confidentiality impact and no impact on integrity or availability. The affected versions include all versions up to 2.8.49. There is no vendor advisory or patch available at this time, and no known exploits in the wild have been reported.

An attacker can remotely retrieve sensitive information embedded in data sent by the affected GetPaid software, leading to a high confidentiality breach. There is no impact on data integrity or system availability. This exposure could result in unauthorized disclosure of confidential information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently documented, users should monitor vendor communications for updates and consider limiting exposure of the affected software until a patch is available.