Race Condition Vulnerability in FOSSBilling Affects Promo Code Usage
CVE-2026-43927

6.9MEDIUM

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43927?

FOSSBilling, a free and open-source billing and client management system, is susceptible to a vulnerability that arises from a race condition in its cart checkout flow. This flaw permits authenticated clients to exploit the system by applying a promo code beyond its intended maximum uses. By initiating multiple concurrent checkout requests before any individual request completes the usage increment, clients can achieve unlimited discounted or free orders, effectively circumventing the limits set on single-use or limited-use promo codes. To mitigate this issue, users are advised to either disable promo codes entirely until the system is updated to version 0.8.0 or to actively monitor the promo table for any instances where used values exceed the configured maximum, leading to a thorough review of affected orders.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.