CVE-2026-28496
published 2026-06-23CVE-2026-28496: FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in…
PriorityP183critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.89%
77.0th percentile
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fossbilling | fossbilling | < 0.8.0 | 0.8.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/system/system/string_render
command{"_tpl":"{{ guest.getDi().db.getCell(\"SELECT @@version\") }}","_try":false}
otherhtml:"FOSSBilling"
- →Detect POST requests to the string_render API endpoint with Twig expression payloads in the JSON body (_tpl field), which is the primary attack vector for this SSTI vulnerability.
- →Look for Twig expression syntax ({{ ... }}) in HTTP request bodies targeting FOSSBilling endpoints, particularly in email templates, mass mail campaigns, custom payment adapters, and the string_render API. ↗
- →Audit existing email templates and mass mail campaigns for suspicious Twig expressions that access getDi(), db, or other DI container objects. ↗
- →Block external access to /api/system/* at the reverse proxy or WAF level to mitigate chaining with GHSA-78x5-c8gw-8279. ↗
- ·This vulnerability requires administrator-level access to exploit; it is not directly exploitable by unauthenticated users unless chained with another vulnerability (e.g., GHSA-78x5-c8gw-8279). ↗
- ·The SSTI is possible because Twig templates are rendered without a sandbox; patched in version 0.8.0. Detections targeting versions >= 0.8.0 should not fire on patched instances. ↗
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
FOSSBilling - Server-Side Template Injection
nuclei·CVSS 9.4
CVE-2026-28496 [CRITICAL] FOSSBilling - Server-Side Template Injection
FOSSBilling - Server-Side Template Injection
A Server-Side Template Injection (SSTI) vulnerability exists in FOSSBilling's template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the string_render API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container.
Template:
id: CVE-2026-28496
info:
name: FOSSBilling - Server-Side Template Injection
author: DhiyaneshDK
severity: critical
description: |
A Server-Side Template Injection (SSTI) vulnera
No writeups or analysis indexed.
2026-06-23
Published
Exploited in the wild