๐Ÿ” CVE Alert

CVE-2026-43927

UNKNOWN 0.0

FOSSBilling has race condition in cart checkout that bypasses promo code usage limits

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the `promo` table for `used` values exceeding `maxuses` and manually review affected orders.

CWE CWE-367
Vendor fossbilling
Product fossbilling
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for fossbilling fossbilling

Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

FOSSBilling / FOSSBilling
< 0.8.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-w898-cx35-25gh