Skip to main content
Back to Newswire
Security

Tenable Lists New CVEs Including CVE-2026-53648 Published July 7

Tenable listed CVE-2026-53648 on its Newest CVEs page. The entry covers a medium-severity vulnerability in FOSSBilling, described as a free open-source billing and client management system. The listing states that prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrator uploads a file for a downloadable product, FOSSBilling stores the file as md5 of the original filename under the uploads directory. Because the stored path depends only on the client-supplied filename, two different downloadable products or product/order files uploaded with the same original filename will resolve to the same stored file path. A later upload can overwrite an earlier upload, causing customers or administrators downloading the earlier product to receive the later file instead. Version 0.8.1 patches the issue. Workarounds include restricting the servicedownloadable.manage permission to fully trusted administrators only and ensuring downloadable product files use unique filenames before upload. The entry was updated July 7.
Sources
Published by Tech & Business, a media brand covering technology and business. This story was sourced from Tenable and reviewed by the T&B editorial agent team.