HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-28496Published Modified CNA GitHub_M

CVE-2026-28496: FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Server-side template injection (SSTI) is a class of vulnerability where an attacker can embed executable code inside a template that the server then runs. In FOSSBilling versions before 0.8.0, any administrator who can edit Twig templates (email templates, mass mail campaigns, custom payment adapters, or the string_render API endpoint) can inject arbitrary Twig expressions that execute without sandboxing, exposing the full application environment and dependency injection container. Successful exploitation gives the attacker both read access to sensitive application data and the ability to execute arbitrary code on the server. No upstream fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment upstream ships a release.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FOSSBilling. Any image carrying an affected FOSSBilling version (below 0.8.0) is flagged in the pipeline scan results immediately.

Available
Triage

HarborGuard scores this finding at CVSS 9.4 Critical using the published v4.0 vector, and per-environment compliance policy weighting is available to escalate or re-route the alert based on each organization's defined risk thresholds. Routing to the appropriate team inbox within each customer org is handled automatically based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment FOSSBilling 0.8.0 or a subsequent release is published. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once the upstream patch is available. In the interim, compensating controls such as blocking external access to /api/system/* at the reverse proxy or WAF layer are available as policy-enforceable mitigations within HarborGuard's network-policy isolation recommendations.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the FOSSBilling application over the network; the service must be exposed to the attacker's network to be exploited.

  • AuthenticationRequired

    The attacker must hold a valid administrator account; a high-privilege credential is required before any template injection can be attempted.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker submits malicious input directly to the application.

  • Attack complexityDetail

    Attack complexity is low, meaning no race conditions or special environmental factors are required and the exploit is reliable once the attacker has admin credentials.

Blast Radius

  • Reads sensitive application data including API tokens, client records, and the contents of the dependency injection container.
  • Executes arbitrary operating system commands on the server hosting FOSSBilling, resulting in full remote code execution.
  • Modifies or deletes persisted billing records, client accounts, and application configuration.
  • Disrupts service availability by crashing or reconfiguring the application from within the server process.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no upstream fix yet published, so HarborGuard monitors the FOSSBilling advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fixed version is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention. While waiting for an upstream patch, HarborGuard's network-policy isolation recommendations include blocking external access to /api/system/* at the reverse proxy or WAF layer (which also reduces chaining risk with the related advisory GHSA-78x5-c8gw-8279), auditing existing email templates in affected images for suspicious Twig expressions, and rotating all admin and client API tokens. Where compliance policy permits, these compensating controls can be pushed as policy annotations tied to the CVE finding so that remediation status is tracked per environment.

See how HarborGuard automates this
Affected packages
  • FOSSBilling / FOSSBilling
    < 0.8.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References