CVE-2026-43927 PUBLISHED

FOSSBilling has race condition in cart checkout that bypasses promo code usage limits

Assigner: GitHub_M
Reserved: 04.05.2026 Published: 06.07.2026 Updated: 07.07.2026

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the promo table for used values exceeding maxuses and manually review affected orders.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor FOSSBilling
Product FOSSBilling
Versions
  • Version < 0.8.0 is affected

References

Problem Types

  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE