Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin endpoints (AV:N/AC:L), administrator role required (PR:H), no user interaction, and template engine breakout impacts other components (S:C) with full CIA loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the string_render API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
AnalysisAI
Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arbitrary code and disclose sensitive information by injecting Twig expressions into template-rendering features. The unsandboxed Twig environment exposes the application's dependency injection container, turning any admin-accessible template surface into a full RCE primitive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires authenticated access to a FOSSBilling administrator account (or another principal able to reach the string_render API endpoint and template-rendering features such as email templates, mass-mail campaigns, or custom payment adapters). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 9.4 (AV:N/AC:L/AT:N/PR:H/UI:N, VC/VI/VA:H, SC/SI/SA:H) accurately reflects that an admin-level attacker achieves both vulnerable-system and subsequent-system compromise, but the PR:H requirement is the dominant limiting factor - this is not a drive-by issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained admin credentials (via phishing, password reuse, or by chaining the related auth-bypass advisory GHSA-78x5-c8gw-8279 against /api/system/*) edits an email template or posts to the string_render API endpoint with a Twig payload that walks from the rendering context into the dependency injection container, retrieves a service capable of executing shell commands or reading arbitrary files, and triggers rendering by sending a test email or invoking the endpoint. The payload runs in the web server's user context, yielding RCE and full database access. … |
| Remediation | Vendor-released patch: upgrade FOSSBilling to 0.8.0 or later per advisory GHSA-57mv-jm88-66jc (https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enumerate and audit all FOSSBilling administrator accounts; disable template-editing features if operationally feasible; enable comprehensive audit logging of admin activities. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C
OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro
IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the at
Server-Side Template Injection in Mautic's theme engine allows authenticated users with theme creation or upload permiss
Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operatin
Incus system container and virtual machine manager versions prior to 6.23.0 allow authenticated users with instance acce
Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated ne
Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38455