CVE-2026-43920: FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible withou
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-43920
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-439200.55% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-43920 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for FOSSBilling is a
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-53648: FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.…nvd · 2026-07-07
- unknownCVE-2026-53647: FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 thr…nvd · 2026-07-07
- unknownCVE-2026-53646: FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 thr…nvd · 2026-07-06
- unknownCVE-2026-53645: FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8…nvd · 2026-07-06
- unknownCVE-2026-53644: FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 throug…nvd · 2026-07-06
- unknownCVE-2026-53643: FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8…nvd · 2026-07-06
More from NVD Recent CVEs
- highCVE-2026-15491: A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cc…2026-07-12
- highCVE-2026-15490: A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6…2026-07-12
- highCVE-2026-15489: A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cc…2026-07-12
- highCVE-2026-15488: A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3. Affected is the function F…2026-07-12
- mediumCVE-2026-15487: A vulnerability was found in TRENDnet TEW-821DAP 1.11B03. This impacts the function sub_41FBD0…2026-07-12