Vendor
A vulnerability exists in yansongda/pay where signature verification is skipped when the Host header is `localhost`, allowing attackers to forge payment notifications.