CVE-2026-43924
Received Received - Intake
Open Redirect Vulnerability in FOSSBilling Prior to 0.8.0

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-04
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-43924
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)
fossbilling fossbilling From 0.1.0 (inc) to 0.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-43924 is an open redirect vulnerability in FOSSBilling versions 0.1.0 through 0.7.2. The Redirect module does not validate the URL scheme of administrator-configured redirect targets before storing or issuing redirects.

This allows an attacker with administrator privileges to configure arbitrary external URLs as redirect targets. As a result, users who follow legitimate FOSSBilling URLs can be silently redirected to attacker-controlled external sites.

The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact of the attack.

Exploitation requires administrator privileges to create or modify redirect entries, so it is mainly a risk in multi-admin environments or if an admin account is compromised.

The issue was fixed in version 0.8.0, and workarounds include restricting admin access to the Redirect module and auditing existing redirect entries for unexpected or external URLs.


How can this vulnerability impact me? :

This vulnerability can be exploited to perform phishing attacks by redirecting users from legitimate FOSSBilling URLs to attacker-controlled external sites without their knowledge.

Because the redirect uses a 301 (Moved Permanently) response, browsers cache the redirect persistently, which can cause repeated redirection to malicious sites even after the initial attack.

The impact is limited by the requirement for administrator privileges to create or modify redirect entries, so it mainly affects environments with multiple administrators or where an admin account has been compromised.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by auditing the existing redirect entries configured by administrators in the FOSSBilling system. Specifically, you should check the redirect targets stored in the database table `extension_meta` where `extension = 'mod_redirect'` for any unexpected or external URLs that could indicate an open redirect configuration.

Since the vulnerability involves administrator-configured redirect URLs, detection involves querying the database for redirect entries and inspecting them for suspicious external URLs.

  • Run a SQL query on the FOSSBilling database to list redirect entries, for example:
  • SELECT * FROM extension_meta WHERE extension = 'mod_redirect';
  • Review the results for any redirect URLs that point to external or untrusted domains.

Additionally, monitoring HTTP responses for 301 redirects issued by the FOSSBilling Redirect module to external URLs can help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation steps include upgrading FOSSBilling to version 0.8.0 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, apply the following workarounds:

  • Restrict administrator access to the Redirect module to only trusted administrators.
  • Audit the existing redirect entries in the database (in the `extension_meta` table with `extension = 'mod_redirect'`) and remove or correct any redirect URLs that point to external or untrusted sites.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an open redirect to attacker-controlled external URLs, which can be exploited for phishing attacks by redirecting users silently from legitimate FOSSBilling URLs.

Such phishing risks could potentially lead to unauthorized access or data exposure, which may impact compliance with standards like GDPR or HIPAA that require protection of user data and prevention of unauthorized access.

However, exploitation requires administrator privileges, limiting the practical risk to environments with multiple administrators or compromised admin accounts.

Mitigations such as restricting admin access and auditing redirect entries can reduce the risk and help maintain compliance.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart