Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
Published: 2026-06-23
Score: 9.4 Critical
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FOSSBilling versions older than 0.8.0 suffer a Server‑Side Template Injection flaw in the Twig rendering engine. Because the engine is invoked without a sandbox, a user with administrative privileges can embed arbitrary Twig expressions, which allows an attacker to read internal data and execute code on the server. The vulnerability is identified as CWE‑1336 and enables both information disclosure and remote code execution.

Affected Systems

The affected product is FOSSBilling, specifically all releases preceding 0.8.0. Administrators who use the email template editor, mass mail features, custom payment adapters, or call the `string_render` API endpoint are exposed to the risk.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity. The EPSS score of 2% indicates that the likelihood of exploitation is low but not zero, while the absence of a KEV listing does not diminish the risk; the flaw can be abused whenever an attacker gains sufficient privileges to submit template code. The suspension of Twig’s sandbox makes the attack path straightforward for privileged users, and the vulnerability can be coupled with other known issues in the same release to increase impact.

Generated by OpenCVE AI on June 24, 2026 at 15:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system to FOSSBilling 0.8.0 or later to apply the official fix.
  • Review and sanitize all existing email, SMS, and payment‑adapter templates for hidden Twig expressions, deleting or neutralizing any that are not strictly required.
  • Rotate all administrative and client API tokens to invalidate any that may have been exposed.
  • Configure the reverse proxy or WAF to block external access to /api/system/*, preventing accidental exploitation of the string_render endpoint.

Generated by OpenCVE AI on June 24, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Fossbilling
Fossbilling fossbilling
Vendors & Products Fossbilling
Fossbilling fossbilling

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
Title FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Fossbilling Fossbilling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:04:42.867Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28496

cve-icon Vulnrichment

Updated: 2026-06-23T15:03:46.616Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:30:17Z

Weaknesses
  • CWE-1336

    Improper Neutralization of Special Elements Used in a Template Engine