Payment Processing Flaw in FOSSBilling Affects PayPal Transactions
CVE-2026-43928

2.3LOW

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43928?

FOSSBilling, a free and open-source billing and client management solution, has a vulnerability in its PayPalEmail payment adapter that allows an attacker to manipulate invoice payments. Prior to version 0.8.0, the system processed PayPal IPN callbacks without validating the amount received against the total invoice amount. This flaw, combined with a $0.05 floating-point tolerance in the invoice credit logic, enables clients to underpay invoices by amounts up to $0.04, misleadingly marking them as fully settled. To mitigate this risk, merchants utilizing the PayPalEmail adapter should closely monitor IPN transaction amounts and implement manual reviews for any discrepancies to avoid potential financial losses.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.