CVE-2026-28496
Deferred Deferred - Pending Action
Server-Side Template Injection in FOSSBilling

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-28496
EUVD
EUVD-2026-38455
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in FOSSBilling allows administrators to inject arbitrary Twig expressions, potentially leading to information disclosure and remote code execution. Such unauthorized access and data exposure could compromise the confidentiality and integrity of personal and sensitive data managed by the system.

This could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal data and ensure system security. The risk of data breaches or unauthorized access due to this vulnerability may lead to violations of these regulations.

Executive Summary

CVE-2026-28496 is a Server-Side Template Injection (SSTI) vulnerability found in FOSSBilling versions prior to 0.8.0. It occurs because the Twig templates used for rendering emails, mass mail campaigns, custom payment adapters, and the string_render API endpoint are processed without sandboxing. This allows administrators with access to these features to inject arbitrary Twig expressions.

Due to the lack of sandboxing, the injected expressions can access the full Twig environment, the API context, and the application's dependency injection container, which can lead to information disclosure and remote code execution.

Version 0.8.0 of FOSSBilling patches this issue. Workarounds include auditing email templates for suspicious Twig expressions, rotating all admin and client API tokens, and blocking external access to certain API endpoints via reverse proxy or WAF.

Impact Analysis

This vulnerability can have severe impacts including unauthorized information disclosure and remote code execution on the affected system.

An attacker with administrative access to template rendering features can exploit this vulnerability to execute arbitrary code on the server, potentially gaining full control over the application and its environment.

This can lead to data breaches, service disruption, and compromise of sensitive client and billing information managed by FOSSBilling.

Detection Guidance

This vulnerability can be detected by auditing existing email templates and other Twig template usages for suspicious Twig expressions that could indicate Server-Side Template Injection (SSTI).

Since the vulnerability involves administrators injecting arbitrary Twig expressions in features like email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint, reviewing these areas for unexpected or malicious template code is essential.

No specific commands are provided in the available information to detect this vulnerability on your network or system.

Mitigation Strategies

Immediate mitigation steps include upgrading FOSSBilling to version 0.8.0 or later, which patches the vulnerability.

  • Audit existing email templates for suspicious Twig expressions.
  • Rotate all admin and client API tokens.
  • Block external access to the /api/system/* endpoint at the reverse proxy or Web Application Firewall (WAF) to prevent exploitation, especially to mitigate chaining with related vulnerabilities.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart