CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53648

unknowncovered by 1 sourcefirst seen 2026-07-07
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as md5(<original filename>) under the uploads directory. Because the stored path depends only on the client-supplied filename, two different downloadable products, or product/order files, uploaded with the same original filename will resolve to the same stored file path. A later upload can overwrite an earlier upload, causing customers or administrators downloading the earlier product to receive the later file instead. Version 0.8.1 patches the issue. Some workarounds are available. Restrict the servicedownloadable.manage permission to fully trusted administrators only. As an operational mitigation, ensure downloadable product files use unique filenames before upload. This reduces accidental collisions but does not fully address the underlying issue.

⚡ Watch CVE-2026-53648

Get an email if CVE-2026-53648 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-53648

CVE.org record

Embed the live status

CVE-2026-53648 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53648 status](https://www.csirts.com/badge/CVE-2026-53648)](https://www.csirts.com/cve/CVE-2026-53648)