Server-Side Template Injection in FOSSBilling by FOSSBilling Team
CVE-2026-28496

9.4CRITICAL

Key Information:

Vendor: Fossbilling
Status: Fossbilling
Vendor: CVE Published:; 23 June 2026

🔔 Create Fossbilling Vulnerability Alert

What is CVE-2026-28496?

CVE-2026-28496 is a significant vulnerability found in FOSSBilling, a free and open-source billing and client management system designed for businesses to efficiently manage billing operations and client interactions. The vulnerability arises from a Server-Side Template Injection (SSTI) flaw within the template rendering system utilized by FOSSBilling versions prior to 0.8.0. This security issue allows administrators, who have privileges to features that render Twig templates (such as email templates and payment adapters), to inject arbitrary Twig expressions into the system. Such exploitation could lead to unauthorized information disclosure and remote code execution. The root cause of the vulnerability is linked to the absence of a sandboxed environment for the Twig templates, granting access to the entire Twig ecosystem, API context, and the application’s dependency injection container. For organizations using this system, failure to address the SSTI vulnerability may expose sensitive data and open pathways for further exploitation and system compromise.

Potential impact of CVE-2026-28496

Information Disclosure: Exploiting this vulnerability could allow unauthorized access to sensitive information stored within the billing system, including client data and financial details, risking compliance violations and reputational damage.
Remote Code Execution: Attackers could leverage the SSTI flaw to execute arbitrary code on the server. This capability could facilitate the installation of malware, manipulation of existing applications, or full system control, potentially leading to widespread disruptions and data breaches.
Access to API and Internal Systems: Due to the vulnerability, malicious actors could exploit the application’s dependency injection container and access the entire Twig environment. This access heightens the risk of subsequent attacks on connected systems and APIs, amplifying the overall impact on an organization’s digital infrastructure.