EXECUTIVE SUMMARY:
CVE-2026-28496 with a CVSS score of 9.4 is a critical template injection flaw in FOSSBilling that affects all releases from version 0.1.0 through 0.7.2. The vulnerability stems from the application’s Twig template engine rendering un‑sandboxed templates, allowing an attacker who can supply a template file to embed arbitrary Twig expressions. Because the templates expose API globals and a getDi() method that returns the full dependency‑injection container, the injected code can traverse the container to reach the database, cache, and password services, effectively turning information disclosure into remote code execution. Exploitation requires only an HTTP request to a vulnerable API endpoint; when combined with a known authorization bypass, no authentication is needed, so an unauthenticated attacker can directly invoke the vulnerable code path. Once successful, the attacker can read sensitive client, payment, and staff data and execute arbitrary commands on the host, leading to full system compromise, regulatory breach, and potential service downtime. The attack works against default installations of the affected versions that have not applied additional sandboxing or input validation controls.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-28496 with a CVSS score of 9.4 is a critical template injection flaw in FOSSBilling that affects all releases from version 0.1.0 through 0.7.2. The vulnerability stems from the application’s Twig template engine rendering un‑sandboxed templates, allowing an attacker who can supply a template file to embed arbitrary Twig expressions. Because the templates expose API globals and a getDi() method that returns the full dependency‑injection container, the injected code can traverse the container to reach the database, cache, and password services, effectively turning information disclosure into remote code execution. Exploitation requires only an HTTP request to a vulnerable API endpoint; when combined with a known authorization bypass, no authentication is needed, so an unauthenticated attacker can directly invoke the vulnerable code path. Once successful, the attacker can read sensitive client, payment, and staff data and execute arbitrary commands on the host, leading to full system compromise, regulatory breach, and potential service downtime. The attack works against default installations of the affected versions that have not applied additional sandboxing or input validation controls.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/fossbilling-template-injection-exploited/