Lucene search
K

214 matches found

NVD
NVD
added 2026/07/06 10:16 p.m.12 views

CVE-2026-43921

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's Config::prettyPrintArrayToPHP method. When configuration values are updated, string values are written into config.php without escaping...

8.9CVSS0.00274EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 10:16 p.m.10 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/07/06 9:53 p.m.12 views

CVE-2026-43928

FOSSBilling PayPalEmail integration before 0.8.0 credits mc_gross from IPN without validating against the invoice total, combined with a $0.05 epsilon in the credit logic, enabling underpayment of up to $0.04 while marking invoices as paid. Version 0.8.0 patches the issue. No public workaround ex...

2.3CVSS5.9AI score0.00274EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 9:53 p.m.33 views

CVE-2026-43928 FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpayment

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount mcgross to the client's balance without validating it against the invoice total. Combined with a $0.05...

2.3CVSS0.00274EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 9:41 p.m.4 views

CVE-2026-43925 FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References3
CVE
CVE
added 2026/07/06 9:41 p.m.11 views

CVE-2026-43925

FOSSBilling (open-source billing/client management) contains an unauthenticated mass assignment vulnerability in the client self-registration endpoint, prior to version 0.8.0. An attacker can assign themselves to an arbitrary client group during sign-up, potentially bypassing group-restricted pro...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 9:38 p.m.33 views

CVE-2026-43921 FOSSBilling vulnerable to arbitrary PHP code injection via unescaped config serialization

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's Config::prettyPrintArrayToPHP method. When configuration values are updated, string values are written into config.php without escaping...

8.9CVSS0.00274EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:38 p.m.6 views

CVE-2026-43921

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's Config::prettyPrintArrayToPHP method. When configuration values are updated, string values are written into config.php without escaping...

8.9CVSS6.2AI score0.00274EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/06 9:38 p.m.17 views

CVE-2026-43921

FOSSBilling is affected by a PHP code injection in versions 0.6.10–0.7.2 via Config::prettyPrintArrayToPHP(), where updated configuration values are written to config.php without escaping single quotes. Because config.php is loaded with a bare include on each HTTP request, an admin with privilege...

8.9CVSS6.2AI score0.00274EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 9:18 p.m.35 views

CVE-2026-43918 Suspended or inactive FOSSBilling accounts can retain or regain access through existing sessions, API tokens, and password reset flows

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/07/06 9:18 p.m.27 views

CVE-2026-43918

FOSSBilling before 0.8.0 does not invalidate existing sessions for suspended or inactive accounts. The session identity loaders (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists; they do not check that the account’s status remains active. Thi...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References2
NVD
NVD
added 2026/07/06 9:16 p.m.7 views

CVE-2026-33734

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the Massmailer module filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing...

6.9CVSS0.00218EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 9:0 p.m.33 views

CVE-2026-42331 FOSSBilling missing authorization in guest Invoice API endpoints

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the...

7.7CVSS0.00247EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 9:0 p.m.13 views

CVE-2026-42331

FOSSBilling before version 0.8.0 has an authorization gap in the Guest API invoice/update endpoint. An unauthenticated attacker who knows an invoice hash can modify the payment gateway associated with an unpaid invoice, potentially changing gateway_id to any gateway configured in the system. The ...

7.7CVSS6AI score0.00247EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:0 p.m.5 views

CVE-2026-42331

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the...

7.7CVSS6AI score0.00247EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/06 8:56 p.m.35 views

CVE-2026-33734 FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the Massmailer module filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing...

6.9CVSS0.00218EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 8:56 p.m.14 views

CVE-2026-33734

Summary: CVE-2026-33734 affects FOSSBilling. Versions 0.6.0–0.7.2 contain an SQL injection in the Massmailer module’s recipient filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing untrusted input to be interpolated dire...

6.9CVSS6AI score0.00218EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 8:56 p.m.6 views

CVE-2026-33734 FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the Massmailer module filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing...

6.9CVSS6AI score0.00218EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/06 8:53 p.m.36 views

CVE-2026-42341 FOSSBilling has an unauthenticated payment bypass via IPN callback forgery

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit...

9.2CVSS0.00184EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 8:53 p.m.13 views

CVE-2026-42341

FOSSBilling versions 0.6.0–0.7.2 contain an unauthenticated payment bypass in the IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the client account without a real payment by sending a crafted HTTP request. Version 0.8....

9.2CVSS6AI score0.00184EPSS
Exploits0References1
Rows per page
Query Builder