CVE-2026-43924 – FOSSBilling has an open redirect via administrator-configured redirect targets

CVE ID :CVE-2026-43924

Published : June 3, 2026, 8:16 p.m. | 16 minutes ago

Description :FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = ‘mod_redirect’`) for any unexpected or external target URLs.

Severity: 4.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-46447 – OpenStack Ironic Boot Script Injection

CVE-2026-22055 – Active IQ OneCollect Hard-coded Credentials for AutoSupport Operations

CVE-2026-22054 – Active IQ Config Advisor Hard-coded Credentials

CVE-2026-10771 – crmeb crmeb_java base64 Qrcode Endpoint RestTemplateUtil.java RestTemplate.getForEntity server-side request forgery