Open Redirect Vulnerability in FOSSBilling System by FOSSBilling
CVE-2026-43924

4.8MEDIUM

Key Information:

Vendor: Fossbilling
Status: Fossbilling
Vendor: CVE Published:; 3 June 2026

🔔 Create Fossbilling Vulnerability Alert

What is CVE-2026-43924?

The FOSSBilling system contains an open redirect vulnerability due to the Redirect module's failure to validate the URL scheme of destination URLs configured by administrators. This security flaw allows attackers to set arbitrary external URLs as redirect targets, potentially enabling phishing attacks. Victims visiting a legitimate FOSSBilling URL may be unknowingly redirected to malicious sites controlled by attackers. The issue, present in versions prior to 0.8.0, generates a 301 (Moved Permanently) response, which can be cached by browsers, thereby increasing the risk of exploitation. Attacks require administrator access to modify redirects, making multi-admin environments or compromised administrator accounts particularly vulnerable. Users are advised to update to version 0.8.0 or restrict access to the Redirect module and audit existing redirect entries.

Affected Version(s)

FOSSBilling < 0.8.0

References

https://github.com/FOSSBilling/FOSSBilling/security/advis...

x_refsource_CONFIRM

https://github.com/FOSSBilling/FOSSBilling/releases/tag/0...

x_refsource_MISC

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43924 Data

JSON