๐Ÿ” CVE Alert

CVE-2026-43918

UNKNOWN 0.0

Suspended or inactive FOSSBilling accounts can retain or regain access through existing sessions, API tokens, and password reset flows

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
14th

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists in the database. They do not verify that the account's status is still active. This allows a suspended or deactivated user to retain full access until their session naturally expires. This issue has been fixed in version 0.8.0.

CWE CWE-613
Vendor fossbilling
Product fossbilling
Published Jul 6, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for fossbilling fossbilling

Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

FOSSBilling / FOSSBilling
< 0.8.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-qv6c-v49w-8g2j github.com: https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0