Fossbilling
by fossbilling
Source repositories
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40495 | Med | 0.45 | — | 0.00 | Jun 3, 2026 | FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the `hide_version_public` security setting. The FOSSBilling version is embedded in the… | ||
| CVE-2026-43926 | Med | 0.41 | — | 0.00 | Jun 4, 2026 | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only… | ||
| CVE-2026-43924 | Med | 0.31 | — | 0.00 | Jun 3, 2026 | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be… | ||
| CVE-2026-33543 | 0.00 | — | 0.00 | Jun 24, 2026 | FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an… | |||
| CVE-2026-27708 | 0.00 | — | 0.00 | Jun 24, 2026 | FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially… | |||
| CVE-2026-23513 | 0.00 | — | 0.00 | Jun 23, 2026 | FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In… | |||
| CVE-2025-64105 | 0.00 | — | 0.00 | Jun 23, 2026 | FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when… | |||
| CVE-2026-27604 | 0.00 | — | 0.00 | Jun 23, 2026 | FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the… | |||
| CVE-2026-28496 | 0.00 | — | 0.02 | Jun 23, 2026 | FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass… | |||
| CVE-2023-4005 | Cri | 0.00 | 9.8 | 0.00 | Jul 31, 2023 | Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. | ||
| CVE-2023-3521 | Med | 0.00 | 6.1 | 0.01 | Jul 6, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4. | ||
| CVE-2023-3493 | Hig | 0.00 | 8.0 | 0.01 | Jun 30, 2023 | Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3. | ||
| CVE-2023-3491 | Hig | 0.00 | 8.8 | 0.01 | Jun 30, 2023 | Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3. | ||
| CVE-2023-3490 | Cri | 0.00 | 9.8 | 0.01 | Jun 30, 2023 | SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. | ||
| CVE-2023-3394 | Med | 0.00 | 5.4 | 0.01 | Jun 23, 2023 | Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. | ||
| CVE-2023-3393 | Hig | 0.00 | 7.2 | 0.01 | Jun 23, 2023 | Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. | ||
| CVE-2023-3230 | Hig | 0.00 | 7.5 | 0.00 | Jun 14, 2023 | Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||
| CVE-2023-3229 | Med | 0.00 | 6.5 | 0.01 | Jun 14, 2023 | Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||
| CVE-2023-3228 | Med | 0.00 | 5.7 | 0.00 | Jun 14, 2023 | Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||
| CVE-2023-3227 | Med | 0.00 | 5.7 | 0.00 | Jun 14, 2023 | Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0. |
- risk 0.45cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the `hide_version_public` security setting. The FOSSBilling version is embedded in the…
- risk 0.41cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only…
- risk 0.31cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be…
- CVE-2026-33543Jun 24, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an…
- CVE-2026-27708Jun 24, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially…
- CVE-2026-23513Jun 23, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In…
- CVE-2025-64105Jun 23, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when…
- CVE-2026-27604Jun 23, 2026risk 0.00cvss —epss 0.00
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the…
- CVE-2026-28496Jun 23, 2026risk 0.00cvss —epss 0.02
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass…
- risk 0.00cvss 9.8epss 0.00
Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.
- risk 0.00cvss 6.1epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4.
- risk 0.00cvss 8.0epss 0.01
Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.
- risk 0.00cvss 8.8epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3.
- risk 0.00cvss 9.8epss 0.01
SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3.
- risk 0.00cvss 5.4epss 0.01
Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1.
- risk 0.00cvss 7.2epss 0.01
Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1.
- risk 0.00cvss 7.5epss 0.00
Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0.
- risk 0.00cvss 6.5epss 0.01
Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0.
- risk 0.00cvss 5.7epss 0.00
Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0.
- risk 0.00cvss 5.7epss 0.00
Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0.