CVE-2026-43928 in FOSSBilling
Summary
by MITRE • 07/07/2026
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount (`mc_gross`) to the client's balance without validating it against the invoice total. Combined with a $0.05 floating-point epsilon tolerance in the invoice credit-payment logic, this allows a client to underpay an invoice by up to $0.04 and still have it marked as fully paid. Version 0.8.0 patches the issue. There is no effective workaround without modifying the source code. Merchants using the PayPalEmail adapter should monitor IPN transactions for amounts that do not match their corresponding invoice totals, and manually review and refund suspicious payments.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
The FOSSBilling vulnerability represents a critical financial integrity flaw in the PayPalEmail payment adapter that existed prior to version 0.8.0. This security issue stems from inadequate input validation within the payment processing logic where the system blindly accepts the mc_gross parameter from PayPal IPN callbacks without cross-referencing it against the actual invoice amount. The vulnerability creates a monetary manipulation vector that allows malicious actors or even honest errors in payment processing to result in unauthorized credit adjustments to client accounts. The system's failure to implement proper validation mechanisms means that any payment received through this adapter could be manipulated to appear as full payment even when only partial amounts are actually processed.
The technical implementation of this vulnerability involves a specific floating-point arithmetic tolerance mechanism that introduces an epsilon value of $0.05 in the invoice credit-payment comparison logic. This design decision, while perhaps intended to handle minor rounding differences in currency calculations, creates an exploitable window where payments can be underpaid by up to $0.04 and still be accepted as complete payments. The underlying issue manifests through the lack of proper cryptographic verification and transaction integrity checks that should validate payment amounts against expected invoice totals. This type of vulnerability aligns with CWE-284 Access Control Flaws, specifically relating to insufficient validation of payment data within financial transaction processing systems.
The operational impact of this vulnerability extends beyond simple financial loss to encompass broader security implications for merchant operations. Attackers could potentially exploit this weakness to systematically underpay invoices while maintaining full payment status in the system, leading to revenue leakage that accumulates over time. The vulnerability also creates audit trail complications where payment records become inconsistent with actual business transactions, making it difficult for merchants to maintain accurate financial reporting and compliance. Furthermore, the issue affects the trust relationship between merchants and their clients, as legitimate payment processing errors could result in incorrect account balances and customer service issues that require manual intervention.
Organizations using FOSSBilling with the PayPalEmail adapter must implement immediate monitoring procedures to detect anomalous payment patterns where transaction amounts deviate from expected invoice totals. The recommended mitigation strategy involves establishing manual review processes for suspicious payments, including verification of actual payment amounts against invoice totals and implementing automated alerts for transactions that fall outside normal tolerance ranges. Security teams should also consider disabling the PayPalEmail adapter temporarily while implementing more robust validation mechanisms or upgrading to version 0.8.0 where the vulnerability has been patched. From an ATT&CK perspective, this vulnerability could be categorized under TA0001 Initial Access and TA0004 Privilege Escalation, as it allows for unauthorized financial adjustments that could potentially lead to more extensive system compromise if payment manipulation is combined with other attack vectors.
The patch implemented in version 0.8.0 addresses the core validation issue by enforcing proper comparison between IPN-supplied amounts and actual invoice totals without accepting any tolerance beyond acceptable rounding errors. This fix ensures that payment processing maintains integrity through proper input validation and prevents the exploitation of floating-point arithmetic tolerances that previously allowed partial payments to be accepted as full payments. The vulnerability demonstrates the critical importance of implementing robust financial transaction validation in open-source systems and highlights the need for continuous security auditing of payment processing components within billing platforms. Merchants should also consider implementing additional security controls such as transaction logging, automated reconciliation processes, and regular audit procedures to prevent similar issues from arising in other payment processing modules or third-party integrations that may not have been properly validated against industry standards for financial transaction integrity.