[HIGH] WeChat Pay callback signature verification bypassed when Host header is localhost

PKSA-8dgs-n4fh-5pd5 CVE-2026-33661 GHSA-q938-ghwv-8gvc

Affected version: <=3.7.19

Reported by:
GitHub