CVE-2026-42341
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Summary
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to /ipn.php at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FOSSBilling | FOSSBilling | >= 0.6.0, < 0.8.0 | affected |
Weaknesses
- CWE-306: CWE-306: Missing Authentication for Critical Function
- CWE-346: CWE-346: Origin Validation Error
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.