CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53647

unknownpublic exploitcovered by 1 sourcefirst seen 2026-07-07
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-53647 is indexed in GitHub PoC. Expect opportunistic scanning and exploitation attempts — prioritize remediation even though it is not (yet) in the CISA KEV catalog.
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/get_info API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (custom_* fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in custom_* API key configuration fields, monitor API logs for suspicious calls to /api/guest/serviceapikey/get_info, and/or disable the Serviceapikey module if not in active use.

⚡ Watch CVE-2026-53647

Get an email if CVE-2026-53647 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Exploit availability

Public exploit or proof-of-concept code for CVE-2026-53647 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.

Advisory coverage (1)

External references

NVD record for CVE-2026-53647

CVE.org record

Embed the live status

CVE-2026-53647 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53647 status](https://www.csirts.com/badge/CVE-2026-53647)](https://www.csirts.com/cve/CVE-2026-53647)