Skip to main content

FOSSBilling CVE-2026-28496

| EUVDEUVD-2026-38455 CRITICAL
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-06-23 GitHub_M
9.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable admin endpoints (AV:N/AC:L), administrator role required (PR:H), no user interaction, and template engine breakout impacts other components (S:C) with full CIA loss.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 16:01 EUVD
Analysis Generated
Jun 23, 2026 - 15:05 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the string_render API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.

AnalysisAI

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials or chain GHSA-78x5-c8gw-8279
Delivery
Reach Twig-rendering surface (email template or string_render)
Exploit
Inject Twig expression accessing DI container
Execution
Trigger render via test email or API call
Persist
Execute arbitrary code as web user
Impact
Exfiltrate billing data and pivot

Vulnerability AssessmentAI

Exploitation Requires authenticated access to a FOSSBilling administrator account (or another principal able to reach the string_render API endpoint and template-rendering features such as email templates, mass-mail campaigns, or custom payment adapters). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 9.4 (AV:N/AC:L/AT:N/PR:H/UI:N, VC/VI/VA:H, SC/SI/SA:H) accurately reflects that an admin-level attacker achieves both vulnerable-system and subsequent-system compromise, but the PR:H requirement is the dominant limiting factor - this is not a drive-by issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained admin credentials (via phishing, password reuse, or by chaining the related auth-bypass advisory GHSA-78x5-c8gw-8279 against /api/system/*) edits an email template or posts to the string_render API endpoint with a Twig payload that walks from the rendering context into the dependency injection container, retrieves a service capable of executing shell commands or reading arbitrary files, and triggers rendering by sending a test email or invoking the endpoint. The payload runs in the web server's user context, yielding RCE and full database access. …
Remediation Vendor-released patch: upgrade FOSSBilling to 0.8.0 or later per advisory GHSA-57mv-jm88-66jc (https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enumerate and audit all FOSSBilling administrator accounts; disable template-editing features if operationally feasible; enable comprehensive audit logging of admin activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Ssti

View all
CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2024-6386 CRITICAL POC
9.9 Aug 21

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2025-1040 HIGH POC
8.8 Mar 20

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C

CVE-2024-54954 HIGH POC
8.0 Feb 10

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate

CVE-2024-8238 HIGH POC
8.1 Mar 20

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro

CVE-2025-46661 CRITICAL
10.0 Apr 28

IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the at

CVE-2026-9558 CRITICAL
9.9 May 29

Server-Side Template Injection in Mautic's theme engine allows authenticated users with theme creation or upload permiss

CVE-2026-45312 CRITICAL
9.9 May 29

Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operatin

CVE-2026-33897 CRITICAL
9.9 Mar 26

Incus system container and virtual machine manager versions prior to 6.23.0 allow authenticated users with instance acce

CVE-2026-34906 CRITICAL
9.3 Jun 02

Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated ne

CVE-2026-54390 CRITICAL
9.3 Jun 18

Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty

Share

CVE-2026-28496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy