FOSSBilling

v0.8.2 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 23h Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

billing bootstrap docker doctrine hosting mariadb

+5 more

mysql payments php self-hosted twig

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 23h

ReleasePort Layer 1 introduces several security hardening changes—rate limiting for guest invoice, PDF, and payment APIs; a required security hash for the guest cron endpoint; validation of extension uninstall paths to block directory traversal; and a fix for reverse tabnapping in the Theme service.

Why it matters: Security‑related facts have severity scores ranging from 60 to 85, with the highest (85) addressing a reverse tabnapping flaw that could mislead users. Operators should prioritize reviewing these mitigations before deploying version 0.8.2.

Summary

AI summary

Updates 🔐 Security, 📈 Enhancements, and 🐛 Bug Fixes across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Adds rate limiting to guest invoice, PDF, and payment APIs with per-hash and per-IP limits. Adds rate limiting to guest invoice, PDF, and payment APIs with per-hash and per-IP limits. Source: llm_adapter@2026-06-04 Confidence: high	—
Security	High	Requires a security hash for the guest cron endpoint and simplifies cron management. Requires a security hash for the guest cron endpoint and simplifies cron management. Source: llm_adapter@2026-06-04 Confidence: high	—
Security	High	Validates extension uninstall paths to prevent directory traversal and hardens core‑module protection. Validates extension uninstall paths to prevent directory traversal and hardens core‑module protection. Source: llm_adapter@2026-06-04 Confidence: high	—
Security	High	Fixes a reverse tabnapping vulnerability in the Theme service and related bugs. Fixes a reverse tabnapping vulnerability in the Theme service and related bugs. Source: llm_adapter@2026-06-04 Confidence: high	—
Security	Medium	Prevents password values from being echoed in login templates. Prevents password values from being echoed in login templates. Source: llm_adapter@2026-06-04 Confidence: high	—
Feature
Feature	Medium	Enforces one‑time payment support per gateway and requires gateway keys based on operating mode; adds readiness checks in UI. Enforces one‑time payment support per gateway and requires gateway keys based on operating mode; adds readiness checks in UI. Source: llm_adapter@2026-06-04 Confidence: high	—
Feature	Medium	Adds built‑in syntax validation, error tracking, bulk actions, and batch delete for email templates. Adds built‑in syntax validation, error tracking, bulk actions, and batch delete for email templates. Source: llm_adapter@2026-06-04 Confidence: high	—
Feature	Medium	Adds widget slots to login forms allowing extensions to inject content. Adds widget slots to login forms allowing extensions to inject content. Source: llm_adapter@2026-06-04 Confidence: high	—
Performance	Medium	Caches Doctrine ORM metadata on the filesystem for improved performance. Caches Doctrine ORM metadata on the filesystem for improved performance. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes crash when testing DirectAdmin server connection. Fixes crash when testing DirectAdmin server connection. Source: llm_adapter@2026-06-04 Confidence: high	—
Bugfix	Medium	Restores the ADMIN_AREA guard in theme route selection so the correct admin theme loads. Restores the ADMIN_AREA guard in theme route selection so the correct admin theme loads. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Bugfix	Medium	Fixes regression that prevented extensions from updating. Fixes regression that prevented extensions from updating. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—
Refactor	Low	Adds PSR-3 styled logger methods (emergency, alert, critical, etc.) to Box_Log with centralized writer failure handling. Adds PSR-3 styled logger methods (emergency, alert, critical, etc.) to Box_Log with centralized writer failure handling. Source: granite4.1:30b@2026-06-04-audit Confidence: low	—

Full changelog

0.8.2

Alongside this release, we are publishing a further batch of security advisories for vulnerabilities addressed in 0.8.0 and 0.8.1.

Users should upgrade to 0.8.2 as soon as practical. Installations that have not yet upgraded from older releases should treat 0.8.2 as the recommended security baseline.

🔐 Security

Rate limiting has been added to guest invoice, PDF, and payment APIs with per-hash and per-IP limits. Invoice hash format is now validated, and hashes expire over time. (#3694)
The guest cron endpoint now requires a security hash, and cron management has been simplified to reduce exposure. (#3698)
Extension uninstall paths are now validated to prevent directory traversal, and core-module protection has been hardened. (#3718)
Fixed a reverse tabnapping vulnerability in the Theme service, along with a loop-invariant settings call and incorrect compound extension stripping. (#3723)
Password values are no longer echoed in login templates. (#3714)
Improved type safety and authentication checks across the codebase, including ticket input sanitization and hardening against null and undefined values. (#3701)

📈 Enhancements

Payment gateway validation now enforces one-time payment support per gateway and requires gateway keys based on operating mode. Update readiness checks have been integrated into the gateway settings UI, and the product form_id is now available through the guest API. (#3699)
Email templates now support built-in syntax validation with error tracking in the admin panel, along with bulk actions and batch delete. (#3720)
Doctrine ORM metadata is now cached on the filesystem for improved performance. (#3696)
Widget slots have been added to login forms so extensions can inject content into the login experience. (#3712)

🐛 Bug Fixes

Fixed a crash when testing the DirectAdmin server connection. (#3692)
Fixed a regression that prevented extensions from updating. (#3713)
Restored the ADMIN_AREA guard in theme route selection so the correct theme is loaded in the admin area. (#3717)
PSR-3 styled logger method names (emergency, alert, critical, etc.) are now available on Box_Log, with centralized writer failure handling. (#3691)

📝 Changes

Leftover module files from the removed Paidsupport and Servicemembership modules have been cleaned up. (#3690)
End-to-end tests have been moved into their respective modules with updated test configuration. (#3707)

📦 Dependencies

Updated Twig to v3.27.1
Updated CKEditor 5 to v48.2.0
Updated DiceBear styles to v10.1.0 and core to v10.0.2
Updated php-cs-fixer to v3.95.4

Security Fixes

Added rate limiting to guest invoice, PDF, and payment APIs; validated invoice hash format and added expiration. (#3694)
Required security hash for guest cron endpoint and simplified cron management to reduce exposure. (#3698)
Validated extension uninstall paths to prevent directory traversal and hardened core‑module protection. (#3718)
Fixed reverse tabnapping vulnerability in Theme service, loop‑invariant settings call, and incorrect compound extension stripping. (#3723)
Removed password echoing from login templates. (#3714)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track FOSSBilling

Get notified when new releases ship.

About FOSSBilling

Hosting and billing automation. Integrates with WHM, CWP, cPanel and HestiaCP. Full API and easily extensible.