Skip to main content

FOSSBilling CVE-2026-53641

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 GitHub_M
4.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Admin privileges required to inject payload (PR:H); client must view email history (UI:R); XSS executes in client browser scope, a distinct security context (S:C); no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 23:21 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (content_html) is rendered into a JavaScript template literal using the |raw filter, bypassing all output escaping. An attacker with admin access can inject malicious JavaScript payloads into email content that execute in the browser of any client who views their email history. Version 0.8.0 contains a fix. Some workarounds are available. Restrict admin account access, audit email content in the database for suspicious payloads, and/or monitor client accounts for unusual activity.

AnalysisAI

Stored XSS in FOSSBilling 0.6.0-0.7.2 allows an authenticated admin to inject persistent JavaScript payloads into email HTML content that execute in client browsers when victims view their email history. The root cause is use of the |raw Twig filter to embed content_html directly into a JavaScript template literal, bypassing all output escaping. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise admin credentials
Delivery
Craft malicious JavaScript in email HTML body
Exploit
Send email to target client via admin panel
Execution
Client views email history in portal
Persist
Unescaped payload executes in client browser
Impact
Exfiltrate session token or perform unauthorized client-side actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated admin account on the FOSSBilling instance (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (Medium) accurately reflects a meaningful constraint: PR:H means a full admin account is required, making this an insider-threat or account-takeover-chained scenario rather than an opportunistic attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised an admin account sends a crafted email to one or more clients with a JavaScript payload embedded in the HTML body - for example, a script that exfiltrates the client's session cookie to an attacker-controlled endpoint. When any targeted client opens their email history in the FOSSBilling web portal, the unescaped `content_html` is injected into a JavaScript template literal and executed immediately in the browser, enabling session hijacking without any further interaction. …
Remediation The primary fix is upgrading to FOSSBilling version 0.8.0, which resolves the unsafe `|raw` rendering of `content_html` in email history templates. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-3490 CRITICAL POC
9.8 Jun 30

SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. Rated critical severity (CVSS 9.8), this vuln

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2023-3491 HIGH POC
8.8 Jun 30

Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3. Rated high

CVE-2023-3230 HIGH POC
7.5 Jun 14

Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated high severity (CVSS 7.5), this

CVE-2023-3393 HIGH POC
7.2 Jun 23

Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated high severity (CVSS 7.2), this vulnera

CVE-2023-3229 MEDIUM POC
6.5 Jun 14

Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium severity (CVSS 6.5), thi

CVE-2023-3521 MEDIUM POC
6.1 Jul 06

Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4. Rated medium severit

CVE-2026-27604 CRITICAL
10.0 Jun 23

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi

CVE-2023-4005 CRITICAL
9.8 Jul 31

Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. Rated critical severity (CV

CVE-2023-3228 MEDIUM POC
5.7 Jun 14

Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium severity (CVSS 5.7), thi

CVE-2023-3227 MEDIUM POC
5.7 Jun 14

Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium sev

CVE-2023-3394 MEDIUM POC
5.4 Jun 23

Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated medium severity (CVSS 5.4), this vul

Share

CVE-2026-53641 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy