Skip to main content

FOSSBilling CVE-2026-40495

| EUVDEUVD-2026-34175 MEDIUM
Information Exposure (CWE-200)
2026-06-03 security-advisories@github.com
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 03, 2026 - 22:01 EUVD
Source Code Evidence Fetched
Jun 03, 2026 - 20:35 vuln.today
Analysis Generated
Jun 03, 2026 - 20:35 vuln.today

DescriptionGitHub Advisory

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hide_version_public security setting. The FOSSBilling version is embedded in the query string of every <script> and <link> tag generated by the script_tag and stylesheet_tag Twig filters. This information is visible to all visitors - including unauthenticated guests - on every page, regardless of whether the hide_version_public setting is enabled. The X-FOSSBilling-Version HTTP header and the guest.system.version API endpoint correctly honour the hide_version_public setting, but the asset cache buster parameters were overlooked. Knowledge of the exact FOSSBilling version makes it significantly easier for malicious actors to identify known vulnerabilities applicable to a given installation and craft targeted exploits. While not a direct vulnerability on its own, it undermines the intended protection offered by the hide_version_public setting and facilitates reconnaissance. Version 0.8.0 contains a patch. There is no practical workaround that removes the version from asset URLs without modifying source code.

AnalysisAI

Version disclosure in FOSSBilling prior to 0.8.0 exposes the exact application version string to all visitors - including unauthenticated guests - via cache-busting query parameters appended to every rendered <script> and <link> HTML tag, directly bypassing the hide_version_public security control on every page of the application. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is network-accessible, unauthenticated, and requires no user interaction, making it trivially observable by any visitor. While not directly exploitable for code execution or data access, this reconnaissance enabler meaningfully lowers the barrier to targeting installations with other known FOSSBilling vulnerabilities; no public exploit has been identified at time of analysis and active exploitation has not been confirmed.

Technical ContextAI

FOSSBilling is a PHP-based open-source billing and client management system that uses Twig as its templating engine. The vulnerable code paths are the script_tag and stylesheet_tag Twig filters, which append the application version as a cache-busting query parameter (e.g., assets/main.css?v=0.7.x) to every static asset URL rendered in HTML output. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) applies directly: the hide_version_public setting was implemented to suppress version disclosure, but the mitigation was applied inconsistently - the X-FOSSBilling-Version HTTP response header and the guest.system.version API endpoint were correctly updated to honor the setting, while the asset URL rendering code path in the Twig filters was overlooked. The CVSS 4.0 vector SC:N/SI:N/SA:N confirms impact is scoped to the vulnerable component only, with no downstream system impact.

RemediationAI

Upgrade to FOSSBilling 0.8.0 or later, which patches this vulnerability by correcting the script_tag and stylesheet_tag Twig filter behavior to honor the hide_version_public configuration setting. The patched release is available at https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0. Important: 0.8.0 is a major release with breaking changes - it requires PHP 8.3 or newer, removes legacy modules (Paidsupport, Servicemembership), refactors guest API routes to expose less information publicly (including removal of the guest.system.version endpoint), and includes frontend build system changes that may affect custom themes or modules. Back up your installation and review the full release notes before upgrading. The vendor advisory confirms there is no practical workaround that removes the version from asset URLs without modifying source code; deploying a reverse proxy or WAF rule to strip query parameters from static asset responses could reduce observability at the network layer but would not address the root cause and risks breaking browser caching behavior for legitimate clients.

Share

CVE-2026-40495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy