CVE-2026-43928
Received Received - Intake

PayPal IPN Underpayment Vulnerability in FOSSBilling

Vulnerability report for CVE-2026-43928, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount (`mc_gross`) to the client's balance without validating it against the invoice total. Combined with a $0.05 floating-point epsilon tolerance in the invoice credit-payment logic, this allows a client to underpay an invoice by up to $0.04 and still have it marked as fully paid. Version 0.8.0 patches the issue. There is no effective workaround without modifying the source code. Merchants using the PayPalEmail adapter should monitor IPN transactions for amounts that do not match their corresponding invoice totals, and manually review and refund suspicious payments.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling's PayPalEmail payment adapter prior to version 0.8.0. The adapter accepts PayPal IPN callbacks and credits the amount specified by the IPN (`mc_gross`) to the client's balance without verifying that this amount matches the invoice total.

Due to a $0.05 floating-point epsilon tolerance in the invoice credit-payment logic, a client can underpay an invoice by up to $0.04 and still have the invoice marked as fully paid.

Version 0.8.0 of FOSSBilling fixes this issue. Without updating, there is no effective workaround except modifying the source code. Merchants using this adapter should monitor IPN transactions for mismatched amounts and manually review suspicious payments.

Impact Analysis

This vulnerability can allow clients to underpay invoices by small amounts (up to $0.04) while still having their invoices marked as fully paid.

As a result, merchants may lose small amounts of revenue without immediate detection.

Merchants need to manually monitor and review IPN transactions to detect and refund suspicious payments, increasing operational overhead.

Detection Guidance

Merchants using the PayPalEmail adapter should monitor IPN transactions for amounts that do not match their corresponding invoice totals.

There are no specific commands provided to detect this vulnerability on your network or system.

Mitigation Strategies

There is no effective workaround without modifying the source code.

The issue is patched in FOSSBilling version 0.8.0, so upgrading to this version or later is recommended.

Merchants should manually review and refund suspicious payments where the IPN-supplied amount does not match the invoice total.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart