Impact
FOSSBilling versions older than 0.8.0 suffer a Server‑Side Template Injection flaw in the Twig rendering engine. Because the engine is invoked without a sandbox, a user with administrative privileges can embed arbitrary Twig expressions, which allows an attacker to read internal data and execute code on the server. The vulnerability is identified as CWE‑1336 and enables both information disclosure and remote code execution.
Affected Systems
The affected product is FOSSBilling, specifically all releases preceding 0.8.0. Administrators who use the email template editor, mass mail features, custom payment adapters, or call the `string_render` API endpoint are exposed to the risk.
Risk and Exploitability
The CVSS score of 9.4 indicates critical severity. The EPSS score of 2% indicates that the likelihood of exploitation is low but not zero, while the absence of a KEV listing does not diminish the risk; the flaw can be abused whenever an attacker gains sufficient privileges to submit template code. The suspension of Twig’s sandbox makes the attack path straightforward for privileged users, and the vulnerability can be coupled with other known issues in the same release to increase impact.
OpenCVE Enrichment