Skip to main content

FOSSBilling CVE-2026-43927

| EUVDEUVD-2026-41963 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-07-06 security-advisories@github.com
6.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Authenticated client required (PR:L); race condition demands concurrent request timing (AC:H); impact is limited integrity only, no confidentiality or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 23:01 EUVD
Analysis Generated
Jul 06, 2026 - 22:53 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the promo table for used values exceeding maxuses and manually review affected orders.

AnalysisAI

Race condition in FOSSBilling's cart checkout flow allows authenticated clients to exploit promo codes beyond their configured usage limits by submitting concurrent checkout requests. Affected versions prior to 0.8.0 fail to atomically check and increment promo code usage counts (CWE-367), enabling a single limited-use or one-time-use code to be redeemed unlimited times. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as FOSSBilling client
Delivery
Obtain valid limited-use promo code
Exploit
Craft concurrent checkout HTTP requests
Execution
Submit requests simultaneously before usage counter increments
Persist
Race condition bypasses maxuses check
Impact
Redeem promo code unlimited times for discounted or free orders

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated FOSSBilling client account - unauthenticated exploitation is not possible based on the description's explicit statement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 score of 6.9 reflects a medium-severity business logic flaw with limited integrity impact (VI:L) and no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated FOSSBilling client identifies a valid promo code (e.g., a one-time-use free-shipping or discount code). The attacker writes a simple script to send 10-50 concurrent POST requests to the checkout endpoint, each referencing the same promo code, before any single request completes the database usage increment. …
Remediation Vendor-released patch: FOSSBilling 0.8.0 addresses this vulnerability and operators should upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-43927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy