CVE-2026-43925
Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can gate promo code eligibility, an attacker may apply group-restricted discount codes and receive unauthorized discounts. Version 0.8.0 contains a patch. As a workaround, administrators can either remove group restrictions from promo codes or disable client self-registration (Settings → Clients → Disable signup).
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-43925? +
How do I check if I'm vulnerable to CVE-2026-43925? +
Related Vulnerabilities
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, …
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, …
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or …
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose …
An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity …
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control …