Description
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component
Published: 2026-04-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

The vulnerability exists in the Checkout Authentication Flow component of Hostbill and permits a remote attacker, by sending crafted requests, to trigger resource exhaustion that brings the service down. This flaw is classified as CWE-400, indicating that input from an attacker is poorly validated leading to denial‑of‑service. The impact is a loss of availability of the checkout process and potentially the entire billing system while the denial of service is active.

Affected Systems

Hostbill. Versions 2025‑11‑24 and 2025‑12‑01 are affected. Any deployment of these versions should be considered at risk until the issue is mitigated.

Risk and Exploitability

The CVSS score of 5.3 identifies the vulnerability as moderate severity. The EPSS score of less than 1% shows that, as of now, exploitation is unlikely, and it is not listed in CISA’s KEV catalog. The attack vector is remote and relies on interacting with the checkout authentication flow, so any exposed web interface that processes checkout requests is a potential entry point. Because the exploitation requires sending repeated or malformed requests, the risk is reduced but not negligible for attackers with enough persistence or resources.

Generated by OpenCVE AI on April 28, 2026 at 07:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hostbill to a version released after 2025‑12‑01 that resolves the checkout authentication flow issue, following the hostbill changelog and release notes.
  • If an immediate upgrade is not possible, implement rate limiting or CAPTCHA on the checkout authentication endpoint to prevent automated request flooding.
  • Continuously monitor checkout logs for unusually high request rates or repeated authentication failures, and block or alert on suspicious patterns.

Generated by OpenCVE AI on April 28, 2026 at 07:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Checkout Authentication Flow in Hostbill

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Hostbillapp
Hostbillapp hostbill
Vendors & Products Hostbillapp
Hostbillapp hostbill

Fri, 24 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component
References

Subscriptions

Hostbillapp Hostbill
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T16:04:54.622Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31052

cve-icon Vulnrichment

Updated: 2026-04-24T16:03:57.628Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T15:16:27.210

Modified: 2026-04-24T17:55:55.317

Link: CVE-2026-31052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses