CVE-2026-43924

FOSSBilling is a free, open-source billing and client management system

Published: 2026-06-03 · Last updated: 2026-06-04

Severity and scoring

CWE: CWE-601

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-53523 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.8 MEDIUM)
CVE-2026-50089 — The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untruste... (6.1 MEDIUM)
CVE-2026-46616 — Umbraco is an ASP.NET CMS (5.4 MEDIUM)
CVE-2026-48856 — Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data (6.5 MEDIUM)
CVE-2026-45566 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (6.1 MEDIUM)