Payment Processing Flaw in FOSSBilling Affects PayPal Transactions
CVE-2026-43928
2.3LOW
What is CVE-2026-43928?
FOSSBilling, a free and open-source billing and client management solution, has a vulnerability in its PayPalEmail payment adapter that allows an attacker to manipulate invoice payments. Prior to version 0.8.0, the system processed PayPal IPN callbacks without validating the amount received against the total invoice amount. This flaw, combined with a $0.05 floating-point tolerance in the invoice credit logic, enables clients to underpay invoices by amounts up to $0.04, misleadingly marking them as fully settled. To mitigate this risk, merchants utilizing the PayPalEmail adapter should closely monitor IPN transaction amounts and implement manual reviews for any discrepancies to avoid potential financial losses.
Affected Version(s)
FOSSBilling < 0.8.0
