Skip to main content

Fossbilling

6 CVEs product

Monthly

CVE-2026-27708 HIGH PATCH This Week

Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. No public exploit identified at time of analysis, and the issue is resolved in version 0.8.0.

Authentication Bypass Fossbilling
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-23513 HIGH PATCH This Week

Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. The flaw was remediated in version 0.8.0 released 2026-05-28.

Authentication Bypass Fossbilling
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2025-64105 MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-27604 CRITICAL PATCH Act Now

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged `/api/system/*` admin API methods because the `system` role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

Information Disclosure CSRF Fossbilling
NVD GitHub
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-28496 CRITICAL POC PATCH Act Now

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. No public exploit identified at time of analysis, but a related auth-bypass chain (GHSA-78x5-c8gw-8279) is documented by VulnCheck and could lower the practical privilege bar.

RCE Information Disclosure Ssti Fossbilling
NVD GitHub
CVSS 4.0
9.4
EPSS
1.9%
CVE-2026-43926 MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Apache Information Disclosure Oracle Nginx Fossbilling
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. No public exploit identified at time of analysis, and the issue is resolved in version 0.8.0.

Authentication Bypass Fossbilling
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. The flaw was remediated in version 0.8.0 released 2026-05-28.

Authentication Bypass Fossbilling
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged `/api/system/*` admin API methods because the `system` role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

Information Disclosure CSRF Fossbilling
NVD GitHub
EPSS 2% CVSS 9.4
CRITICAL POC PATCH Act Now

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. No public exploit identified at time of analysis, but a related auth-bypass chain (GHSA-78x5-c8gw-8279) is documented by VulnCheck and could lower the practical privilege bar.

RCE Information Disclosure Ssti +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Apache Information Disclosure Oracle +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy