CVE-2026-43927
FOSSBilling has race condition in cart checkout that bypasses promo code usage limits
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the `promo` table for `used` values exceeding `maxuses` and manually review affected orders.
| CWE | CWE-367 |
| Vendor | fossbilling |
| Product | fossbilling |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Get instant alerts for fossbilling fossbilling
Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ delivered to Slack, Telegram or Discord.