PT-2026-56030 · Unknown · Fossbilling

Dilipmallavarapu

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-43925

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0
Description An unauthenticated mass assignment issue exists in the client self-registration endpoint. This allows a visitor to assign themselves to an arbitrary client group during the sign-up process. Since client groups can control promo code eligibility, an attacker could potentially apply group-restricted discount codes to obtain unauthorized discounts. Mass assignment is a vulnerability where an application takes user-provided data and binds it to an internal object without proper filtering, allowing the user to modify fields they should not have access to.
Recommendations Update to version 0.8.0. Remove group restrictions from promo codes. Disable client self-registration via Settings → Clients → Disable signup.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43925

Affected Products

Fossbilling