FOSSBilling
CVE-2026-53641
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin privileges required to inject payload (PR:H); client must view email history (UI:R); XSS executes in client browser scope, a distinct security context (S:C); no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (content_html) is rendered into a JavaScript template literal using the |raw filter, bypassing all output escaping. An attacker with admin access can inject malicious JavaScript payloads into email content that execute in the browser of any client who views their email history. Version 0.8.0 contains a fix. Some workarounds are available. Restrict admin account access, audit email content in the database for suspicious payloads, and/or monitor client accounts for unusual activity.
AnalysisAI
Stored XSS in FOSSBilling 0.6.0-0.7.2 allows an authenticated admin to inject persistent JavaScript payloads into email HTML content that execute in client browsers when victims view their email history. The root cause is use of the |raw Twig filter to embed content_html directly into a JavaScript template literal, bypassing all output escaping. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated admin account on the FOSSBilling instance (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 (Medium) accurately reflects a meaningful constraint: PR:H means a full admin account is required, making this an insider-threat or account-takeover-chained scenario rather than an opportunistic attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised an admin account sends a crafted email to one or more clients with a JavaScript payload embedded in the HTML body - for example, a script that exfiltrates the client's session cookie to an attacker-controlled endpoint. When any targeted client opens their email history in the FOSSBilling web portal, the unescaped `content_html` is injected into a JavaScript template literal and executed immediately in the browser, enabling session hijacking without any further interaction. … |
| Remediation | The primary fix is upgrading to FOSSBilling version 0.8.0, which resolves the unsafe `|raw` rendering of `content_html` in email history templates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fossbilling
View allSQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. Rated critical severity (CVSS 9.8), this vuln
Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3. Rated high
Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated high severity (CVSS 7.5), this
Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated high severity (CVSS 7.2), this vulnera
Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium severity (CVSS 6.5), thi
Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4. Rated medium severit
Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi
Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. Rated critical severity (CV
Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium severity (CVSS 5.7), thi
Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium sev
Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated medium severity (CVSS 5.4), this vul
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today