CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-42341

unknowncovered by 1 sourcefirst seen 2026-07-06
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to /ipn.php at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.

⚡ Watch CVE-2026-42341

Get an email if CVE-2026-42341 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-42341

CVE.org record

Embed the live status

CVE-2026-42341 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-42341 status](https://www.csirts.com/badge/CVE-2026-42341)](https://www.csirts.com/cve/CVE-2026-42341)