Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,245
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1 - 20 of 27 CVEs

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as `md5(<original filena...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (`custom_*` fields) stored ...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 07, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a `ClientPasswordReset` record already exists for a client (from a previous unexpired reset request), subsequent calls to the `reset_password` guest API endpoint reuse the existing token in...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user that only has `staff.create_and_edit...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state v...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the `can_always_access` module flag (which grants all staff access to certa...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/bal...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (`content_html`) is rendered into a JavaScript template literal usi...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding read...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount (`mc_gross`) to the client's balance without validating it against the invoice total. Combined with a...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request compl...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can ga...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into `config.php` without es...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php (loggedin_client and loggedin_admin) ...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and cred...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the paymen...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the `Massmailer` module filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing untrus...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jul 06, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration ...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jun 26, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exis...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jun 24, 2026
Source: NVD

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client...

Vendor: FOSSBilling
Product: FOSSBilling
Published: Jun 24, 2026
Source: NVD