Exploit for CVE-2026-53646 CVE-2026-53646 CVE-2026-53647

Name: Exploit for CVE-2026-53646 CVE-2026-53646 CVE-2026-53647
Rating: 5 (11 reviews)
2026-06-12 | CVSS 5.6
## https://sploitus.com/exploit?id=73145169-506F-578D-AE1C-380D0AB428CB
```
 ███████╗ ██████╗ ███████╗██╗  ██╗██╗██╗     ██╗     ███████╗██████╗
 ██╔════╝██╔═══██╗██╔════╝██║ ██╔╝██║██║     ██║     ██╔════╝██╔══██╗
 █████╗  ██║   ██║███████╗█████╔╝ ██║██║     ██║     █████╗  ██████╔╝
 ██╔══╝  ██║   ██║╚════██║██╔═██╗ ██║██║     ██║     ██╔══╝  ██╔══██╗
 ██║     ╚██████╔╝███████║██║  ██╗██║███████╗███████╗███████╗██║  ██║
 ╚═╝      ╚═════╝ ╚══════╝╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚══════╝╚═╝  ╚═╝
```

**made by [7megaumka7](https://github.com/7megaumka7)**

PoC tool for two accepted GitHub Security Advisory vulnerabilities in [FOSSBilling](https://fossbilling.org/) ≤ 0.7.2

[![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=flat-square)](https://python.org)
[![License](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE)
[![CVE-2026-53647](https://img.shields.io/badge/CVE--2026--53647-Moderate%206.9-orange?style=flat-square)](https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-737q-9gpr-6mpq)
[![CVE-2026-53646](https://img.shields.io/badge/CVE--2026--53646-High%207.7-red?style=flat-square)](https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-vp66-w6rc-x32p)



---

## Table of Contents

- [Introduction](#introduction)
- [Vulnerabilities](#vulnerabilities)
  - [CVE-2026-53647 — Unauthenticated API Key Config Disclosure](#cve-2026-53647--unauthenticated-api-key-config-disclosure)
  - [CVE-2026-53646 — Password Reset Token Reuse](#cve-2026-53646--password-reset-token-reuse)
- [Requirements](#requirements)
- [Installation](#installation)
- [Usage](#usage)
  - [Flags](#flags)
  - [Modes](#modes)
  - [Examples](#examples)
- [Sample Output](#sample-output)
- [Remediation](#remediation)
- [Responsible Disclosure](#responsible-disclosure)
- [Legal Disclaimer](#legal-disclaimer)
- [Credits](#credits)

---

## Introduction

**FOSKiller** is a proof-of-concept tool demonstrating two security vulnerabilities in
[FOSSBilling](https://fossbilling.org/) — an open-source billing and client management
platform. Both vulnerabilities were responsibly disclosed through the GitHub Security
Advisory program and are fully patched in FOSSBilling **0.7.3+**.

The tool is intended for:
- Security researchers verifying their own FOSSBilling installations
- Penetration testers conducting authorized engagements
- Defenders confirming patch application

| Advisory | CVE | Type | CVSS | Affected |
|---|---|---|---|---|
| [GHSA-737q-9gpr-6mpq](https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-737q-9gpr-6mpq) | CVE-2026-53647 | Unauthenticated API Key Config Disclosure | **6.9 Moderate** | >= 0.5.3, = 0.5.6,  If dependencies are missing, the script detects this on startup and offers to install them automatically.

---

## Installation

**Clone and install dependencies:**

```bash
git clone https://github.com/7megaumka7/FOSKiller.git
cd FOSKiller
pip install -r requirements.txt
```

**Or run without pre-installing** — the script will prompt to install missing packages on first run.

---

## Usage

```
python fossbilling_poc.py --target URL [--key KEY] [--email EMAIL]
                          [--check-only | --exploit]
                          [--force] [--output FILE]
                          [--timeout SEC] [--proxy URL]
```

### Flags

| Flag | Required | Description |
|---|---|---|
| `--target URL` | Yes | Base URL of the FOSSBilling instance |
| `--key KEY` | For CVE-2026-53647 | API key to test |
| `--email EMAIL` | For CVE-2026-53646 | Client email to test |
| `--check-only` | No | Detection mode — confirm vulnerability without extracting data |
| `--exploit` | No | Full extraction + attack chain documentation |
| `--force` | No | Skip version range check |
| `--output FILE` | No | Save full results to a JSON file |
| `--timeout SEC` | No | HTTP timeout in seconds (default: `10`) |
| `--proxy URL` | No | HTTP proxy (e.g. `http://127.0.0.1:8080`) |

`--check-only` and `--exploit` are mutually exclusive.

### Modes

| Mode | Flag | What it does |
|---|---|---|
| **Detection** | `--check-only` | Confirms the vulnerability exists. Does not display or extract sensitive values. |
| **Default** | *(no mode flag)* | Confirms status and shows basic evidence. |
| **Exploitation** | `--exploit` | Extracts all leaked fields; documents full account-takeover chain with timing metadata. |

### Examples

**Detection only — verify both CVEs without extracting data:**
```bash
python fossbilling_poc.py \
  --target https://billing.example.com \
  --key myservicekey \
  --email client@example.com \
  --check-only
```

**Full extraction and attack chain documentation:**
```bash
python fossbilling_poc.py \
  --target https://billing.example.com \
  --key myservicekey \
  --email client@example.com \
  --exploit
```

**Save results to JSON and route through Burp Suite:**
```bash
python fossbilling_poc.py \
  --target https://billing.example.com \
  --key myservicekey \
  --email client@example.com \
  --output results.json \
  --proxy http://127.0.0.1:8080
```

**Test an unknown or already-patched version:**
```bash
python fossbilling_poc.py \
  --target https://billing.example.com \
  --key myservicekey \
  --force
```

---

## Sample Output

```
[*] Probing https://billing.example.com …
[+] Detected version: 0.7.1
[+] CVE-2026-53647 affected range (>=0.5.3 =0.5.6 = 0.7.3**, which addresses both vulnerabilities.

If immediate patching is not possible:

| CVE | Interim Mitigation |
|---|---|
| CVE-2026-53647 | Block access to `/api/guest/serviceapikey/` at the web server or WAF level |
| CVE-2026-53646 | Implement token invalidation on re-issue; add rate-limiting to the reset endpoint |

---

## Responsible Disclosure

Both vulnerabilities were reported to the FOSSBilling maintainers through the
GitHub Security Advisory program prior to this publication.

- Advisory 1: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-737q-9gpr-6mpq
- Advisory 2: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-vp66-w6rc-x32p

---

## Legal Disclaimer

> **This tool is provided for educational purposes and authorized security testing only.**
>
> Only use this tool against systems you own or have received **explicit written permission** to test.
> Unauthorized use against third-party systems is illegal under the Computer Fraud and Abuse Act (CFAA),
> the Computer Misuse Act, and equivalent legislation worldwide.
>
> The author assumes **no responsibility** for misuse, damage, or legal consequences arising from
> the use of this tool. By using this tool you agree that you are solely responsible for your actions.

---

## Credits

**Researcher & Author:** [7megaumka7](https://github.com/7megaumka7)

Vulnerability discovery, analysis, responsible disclosure, and tool development.