Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable client endpoint (AV:N), no special timing (AC:L), requires a low-privileged client login (PR:L), no user interaction, confidentiality-only cross-tenant data leak so C:H and I/A:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.
AnalysisAI
Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated low-privileged client account on a network-reachable FOSSBilling 0.7.2-or-earlier instance with the standard client area exposed - matching CVSS PR:L, AV:N, AC:L, UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N (score 7.1) accurately models the threat: network-reachable, low-complexity, requires an authenticated low-privileged client account, no user interaction, and produces high confidentiality impact with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already controls a legitimate low-privileged client account on a FOSSBilling tenant. They send crafted GET/POST requests to the client-facing transactions or orders list endpoints with search or action filter parameters that satisfy the OR branch of the WHERE clause, causing the database to return rows where client_id does not match their own. … |
| Remediation | Vendor-released patch: FOSSBilling 0.8.0 (released 2026-05-28) - upgrade per https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 and the advisory at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-xcrv-cccw-r65v. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all FOSSBilling instances, confirm versions, and assess scope (number of tenants, data classification). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fossbilling
View allServer-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi
Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any au
Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the el
Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versi
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38613