CVE-2026-43921
Received Received - Intake

PHP Code Injection in FOSSBilling Configuration

Vulnerability report for CVE-2026-43921, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into `config.php` without escaping single quotes. Because `config.php` is loaded via a bare `include` on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. Version 0.8.0 contains a patch. Some workarounds are available. Restrict admin access to trusted personnel only; audit `config.php` for unexpected PHP code; and/ or at the reverse proxy/WAF level, restrict access to admin API endpoints that modify configuration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.6.10 (inc) to 0.7.2 (inc)
fossbilling fossbilling 0.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling versions 0.6.10 through 0.7.2 in the `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into the `config.php` file without escaping single quotes.

Because `config.php` is included on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code into this file. This injected code will then execute on every subsequent request, allowing the attacker to run malicious PHP code on the server.

Version 0.8.0 of FOSSBilling contains a patch to fix this issue. Workarounds include restricting admin access to trusted personnel, auditing the `config.php` file for unexpected PHP code, and restricting access to admin API endpoints that modify configuration at the reverse proxy or WAF level.

Impact Analysis

This vulnerability allows an attacker with admin privileges to inject and execute arbitrary PHP code on the server hosting FOSSBilling.

The impact includes potential full compromise of the server, unauthorized access to sensitive data, disruption of billing and client management services, and the ability to perform further attacks within the environment.

Detection Guidance

This vulnerability can be detected by auditing the config.php file for unexpected or malicious PHP code injections, especially looking for unescaped single quotes in configuration values.

Since the vulnerability involves PHP code injection via the config.php file, you can check the contents of this file for suspicious code.

  • Use commands like `grep -n "<?php" config.php` to find any PHP opening tags that should not be present.
  • Use `grep -E "['\"]" config.php` to look for unescaped single quotes or suspicious string patterns.
  • Monitor HTTP requests to the admin API endpoints that modify configuration for unusual activity.
Mitigation Strategies

Immediate mitigation steps include restricting admin access to trusted personnel only to prevent unauthorized configuration changes.

Audit the config.php file for unexpected PHP code and remove any malicious injections.

At the reverse proxy or Web Application Firewall (WAF) level, restrict access to admin API endpoints that modify configuration to trusted IPs or users.

Upgrade FOSSBilling to version 0.8.0 or later, which contains a patch for this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart