CVE-2026-33543

FOSSBilling versions 0.7.2 and earlier expose a guest API endpoint /api/guest/staff/create intended for initial admin bootstrap. A flawed admin-existence check (is_countable() used on a Model_Admin object or null) makes the guard always evaluate true, allowing unauthenticated creation of an admin...