| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| FOSSBilling-0.8.2.zip | 2026-06-04 | 31.3 MB | |
| 0.8.2 source code.tar.gz | 2026-06-04 | 10.0 MB | |
| 0.8.2 source code.zip | 2026-06-04 | 10.5 MB | |
| README.md | 2026-06-04 | 2.7 kB | |
| Totals: 4 Items | 51.9 MB | 1 | |
0.8.2
Alongside this release, we are publishing a further batch of security advisories for vulnerabilities addressed in 0.8.0 and 0.8.1.
Users should upgrade to 0.8.2 as soon as practical. Installations that have not yet upgraded from older releases should treat 0.8.2 as the recommended security baseline.
🔐 Security
- Rate limiting has been added to guest invoice, PDF, and payment APIs with per-hash and per-IP limits. Invoice hash format is now validated, and hashes expire over time. (#3694)
- The guest cron endpoint now requires a security hash, and cron management has been simplified to reduce exposure. (#3698)
- Extension uninstall paths are now validated to prevent directory traversal, and core-module protection has been hardened. (#3718)
- Fixed a reverse tabnapping vulnerability in the Theme service, along with a loop-invariant settings call and incorrect compound extension stripping. (#3723)
- Password values are no longer echoed in login templates. (#3714)
- Improved type safety and authentication checks across the codebase, including ticket input sanitization and hardening against null and undefined values. (#3701)
📈 Enhancements
- Payment gateway validation now enforces one-time payment support per gateway and requires gateway keys based on operating mode. Update readiness checks have been integrated into the gateway settings UI, and the product
form_idis now available through the guest API. (#3699) - Email templates now support built-in syntax validation with error tracking in the admin panel, along with bulk actions and batch delete. (#3720)
- Doctrine ORM metadata is now cached on the filesystem for improved performance. (#3696)
- Widget slots have been added to login forms so extensions can inject content into the login experience. (#3712)
🐛 Bug Fixes
- Fixed a crash when testing the DirectAdmin server connection. (#3692)
- Fixed a regression that prevented extensions from updating. (#3713)
- Restored the
ADMIN_AREAguard in theme route selection so the correct theme is loaded in the admin area. (#3717) - PSR-3 styled logger method names (
emergency,alert,critical, etc.) are now available onBox_Log, with centralized writer failure handling. (#3691)
📝 Changes
- Leftover module files from the removed Paidsupport and Servicemembership modules have been cleaned up. (#3690)
- End-to-end tests have been moved into their respective modules with updated test configuration. (#3707)
📦 Dependencies
- Updated Twig to v3.27.1
- Updated CKEditor 5 to v48.2.0
- Updated DiceBear styles to v10.1.0 and core to v10.0.2
- Updated php-cs-fixer to v3.95.4