PT-2026-56030 · Unknown · Fossbilling
Dilipmallavarapu
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-43925
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
FOSSBilling versions prior to 0.8.0
Description
An unauthenticated mass assignment issue exists in the client self-registration endpoint. This allows a visitor to assign themselves to an arbitrary client group during the sign-up process. Since client groups can control promo code eligibility, an attacker could potentially apply group-restricted discount codes to obtain unauthorized discounts. Mass assignment is a vulnerability where an application takes user-provided data and binds it to an internal object without proper filtering, allowing the user to modify fields they should not have access to.
Recommendations
Update to version 0.8.0.
Remove group restrictions from promo codes.
Disable client self-registration via Settings → Clients → Disable signup.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fossbilling