Lucene search
K

214 matches found

CVE
CVE
added 2026/06/24 7:24 p.m.12 views

CVE-2026-27708

FOSSBilling, before 0.8.0, is vulnerable to an IDOR in the Servicecustom Client API: the __call method accepts an order_id and fetches the order without ensuring the authenticated client owns it, enabling cross-client access to other clients’ orders and exposing PII and service configuration data...

7.1CVSS5.8AI score0.00265EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 7:24 p.m.19 views

CVE-2026-27708 FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's call method accepts an orderid parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data...

7.1CVSS0.00265EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 9:16 p.m.8 views

CVE-2026-23513

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery and...

7.1CVSS0.00282EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 9:16 p.m.9 views

CVE-2025-64105

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

5.1CVSS0.00265EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:11 p.m.7 views

CVE-2026-23513

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery and...

7.1CVSS5.9AI score0.00282EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/23 8:11 p.m.2 views

CVE-2026-23513 FOSSBilling: Broken Authorization in Client Transaction and Order Listings

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery and...

7.1CVSS6AI score0.00282EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 8:11 p.m.30 views

CVE-2026-23513 FOSSBilling: Broken Authorization in Client Transaction and Order Listings

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery and...

7.1CVSS0.00282EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 8:11 p.m.14 views

CVE-2026-23513

CVE-2026-23513 affects FOSSBilling prior to 0.8.0. A query-construction flaw in client list endpoints (ServiceTransaction::getSearchQuery and Order\Service::getSearchQuery) fails to group OR-based filters, allowing authenticated clients to bypass tenant scoping and retrieve other clients’ data (i...

7.1CVSS5.9AI score0.00282EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:45 p.m.4 views

CVE-2025-64105

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

5.1CVSS5.8AI score0.00265EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/23 7:45 p.m.6 views

CVE-2025-64105 FOSSBilling: IDOR Vulnerability in Support Ticket Creation

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

5.1CVSS5.9AI score0.00265EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 7:45 p.m.32 views

CVE-2025-64105 FOSSBilling: IDOR Vulnerability in Support Ticket Creation

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

5.1CVSS0.00265EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 7:45 p.m.13 views

CVE-2025-64105

Summary: FOSSBilling

5.1CVSS5.8AI score0.00265EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 3:16 p.m.14 views

CVE-2026-28496

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS0.01892EPSS
Exploits1References3
NVD
NVD
added 2026/06/23 3:16 p.m.9 views

CVE-2026-27604

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/ endpoints. Because system resolves to the cron admin identity,...

10CVSS0.00408EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/23 2:25 p.m.4 views

CVE-2026-27604

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/ endpoints. Because system resolves to the cron admin identity,...

10CVSS5.9AI score0.00408EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/23 2:25 p.m.39 views

CVE-2026-27604 FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/ endpoints. Because system resolves to the cron admin identity,...

10CVSS0.00408EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 2:25 p.m.26 views

CVE-2026-27604

FOSSBilling 0.5.4–0.7.x contains an authorization bypass in the API role handling that permits unauthenticated access to privileged /api/system/* endpoints. The issue maps to the system identity (cron admin), allowing admin API methods without credentials, session, or CSRF tokens. Version 0.8.0 i...

10CVSS5.9AI score0.00408EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 2:25 p.m.3 views

CVE-2026-27604 FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/ endpoints. Because system resolves to the cron admin identity,...

10CVSS5.9AI score0.00408EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/23 2:20 p.m.7 views

CVE-2026-28496

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS6.4AI score0.01892EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/06/23 2:20 p.m.64 views

CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS0.01892EPSS
Exploits1References3
Rows per page
Query Builder