CVE-2026-53648
Received Received - Intake

File Overwrite via Predictable Filename in FOSSBilling

Vulnerability report for CVE-2026-53648, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as `md5(<original filename>)` under the uploads directory. Because the stored path depends only on the client-supplied filename, two different downloadable products, or product/order files, uploaded with the same original filename will resolve to the same stored file path. A later upload can overwrite an earlier upload, causing customers or administrators downloading the earlier product to receive the later file instead. Version 0.8.1 patches the issue. Some workarounds are available. Restrict the `servicedownloadable.manage` permission to fully trusted administrators only. As an operational mitigation, ensure downloadable product files use unique filenames before upload. This reduces accidental collisions but does not fully address the underlying issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.1.0 (inc) to 0.8.0 (inc)
fossbilling fossbilling 0.8.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53648 is a vulnerability in FOSSBilling versions 0.1.0 through 0.8.0 where downloadable product files are stored using a deterministic filename-derived path based on the MD5 hash of the original filename.

Because the stored path depends only on the client-supplied filename, files with the same original filename uploaded for different products or orders will overwrite each other.

This means that a later upload can overwrite an earlier upload, causing customers or administrators to receive the wrong file when downloading a product.

The vulnerability requires authenticated administrators or staff members with the servicedownloadable.manage permission to exploit.

Version 0.8.1 of FOSSBilling patches this issue.

Impact Analysis

This vulnerability can impact you by causing integrity and confidentiality issues with downloadable product files.

Specifically, customers or administrators may receive incorrect files when downloading products due to file overwrites caused by filename collisions.

This can lead to confusion, loss of trust, or exposure of unintended files.

Since the vulnerability requires high privileges (authenticated administrators or staff with specific permissions), it could be exploited internally or by a compromised trusted user.

Detection Guidance

This vulnerability involves downloadable product files being overwritten due to filename collisions caused by storing files as md5 hashes of their original filenames. Detection would involve checking for files in the uploads directory that share the same MD5 hash-derived filename but originate from different products or orders.

You can detect potential exploitation or risk by listing files in the uploads directory and comparing their MD5 hash-derived names to the original filenames used in product uploads. Additionally, reviewing administrator actions related to file uploads and permissions for servicedownloadable.manage can help identify suspicious activity.

Suggested commands to assist detection might include:

  • Listing files in the uploads directory: `ls -l /path/to/fossbilling/uploads/`
  • Checking MD5 hashes of original filenames to see if collisions exist: `echo -n "filename.ext" | md5sum`
  • Comparing uploaded filenames and their hashes to detect duplicates or overwrites.
  • Reviewing user permissions for servicedownloadable.manage to ensure only trusted administrators have this permission.
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict the servicedownloadable.manage permission to fully trusted administrators only to limit who can upload downloadable product files.
  • Ensure that downloadable product files use unique filenames before upload to reduce the risk of filename collisions and overwriting.
  • Upgrade FOSSBilling to version 0.8.1 or later, where this vulnerability has been patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart