Back to overview

CVE-2026-53648

MEDIUM
5.1
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as `md5(<original filename>)` under the uploads directory. Because the stored path depends only on the client-supplied filename, two different downloadable products, or product/order files, uploaded with the same original filename will resolve to the same stored file path. A later upload can overwrite an earlier upload, causing customers or administrators downloading the earlier product to receive the later file instead. Version 0.8.1 patches the issue. Some workarounds are available. Restrict the `servicedownloadable.manage` permission to fully trusted administrators only. As an operational mitigation, ensure downloadable product files use unique filenames before upload. This reduces accidental collisions but does not fully address the underlying issue.

Metadata

CVE ID
CVE-2026-53648
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 20:50 UTC
Published
2026-07-06 23:12 UTC
Last updated
2026-07-06 23:12 UTC
Primary CWE
CWE-73
CWE-73: External Control of File Name or Path
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling < 0.8.1
Weakness (CWE)
CWESourceDescription
CWE-668 cna CWE-668: Exposure of Resource to Wrong Sphere
CWE-73 cna CWE-73: External Control of File Name or Path
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
References (1)
Back to overview