๐Ÿ” CVE Alert

CVE-2026-42341

UNKNOWN 0.0

FOSSBilling has an unauthenticated payment bypass via IPN callback forgery

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
8th

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to `/ipn.php` at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.

CWE CWE-306 CWE-346
Vendor fossbilling
Product fossbilling
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for fossbilling fossbilling

Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

FOSSBilling / FOSSBilling
>= 0.6.0, < 0.8.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-5493-9m76-2qrr