SQL Injection Vulnerability in FOSSBilling's Massmailer Module
CVE-2026-33734

6.9MEDIUM

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-33734?

FOSSBilling, a free and open-source billing and client management platform, has a SQL injection flaw in the Massmailer module's filtering process affecting versions 0.6.0 through 0.7.2. An authenticated administrator can exploit this vulnerability by providing malicious filter values during the mass email update, resulting in untrusted input being executed in SQL queries used for recipient selection. To mitigate this issue, upgrade to version 0.8.0, restrict admin access to trusted users only, disable the Massmailer module if unnecessary, and audit the mod_massmailer table for any suspicious entries.

Affected Version(s)

FOSSBilling >= 0.6.0, < 0.8.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.