FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the `promo` table for `used` values exceeding `maxuses` and manually review affected orders.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 07 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fossbilling
Fossbilling fossbilling |
|
| Vendors & Products |
Fossbilling
Fossbilling fossbilling |
Mon, 06 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the `promo` table for `used` values exceeding `maxuses` and manually review affected orders. | |
| Title | FOSSBilling has race condition in cart checkout that bypasses promo code usage limits | |
| Weaknesses | CWE-367 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T12:47:00.755Z
Reserved: 2026-05-04T16:59:09.089Z
Link: CVE-2026-43927
Updated: 2026-07-07T12:46:57.105Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T00:00:12Z
Weaknesses