CVE-2026-43920

Source
https://cve.org/CVERecord?id=CVE-2026-43920
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43920.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43920
Aliases
  • GHSA-prx6-m547-rfmg
Published
2026-06-25T23:06:43.546Z
Modified
2026-07-15T01:49:05.819690796Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
FOSSBilling: Unauthenticated update patcher endpoint allows remote maintenance execution
Details

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.

Database specific
{
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43920.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/fossbilling/fossbilling

Affected ranges

Type
GIT
Repo
https://github.com/fossbilling/fossbilling
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.5.4"
        },
        {
            "fixed": "0.8.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.5.4
0.5.5
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.6.16
0.6.17
0.6.18
0.6.19
0.6.2
0.6.20
0.6.21
0.6.22
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43920.json"