SQL Injection Vulnerability in FOSSBilling's Massmailer Module
CVE-2026-33734
6.9MEDIUM
What is CVE-2026-33734?
FOSSBilling, a free and open-source billing and client management platform, has a SQL injection flaw in the Massmailer module's filtering process affecting versions 0.6.0 through 0.7.2. An authenticated administrator can exploit this vulnerability by providing malicious filter values during the mass email update, resulting in untrusted input being executed in SQL queries used for recipient selection. To mitigate this issue, upgrade to version 0.8.0, restrict admin access to trusted users only, disable the Massmailer module if unnecessary, and audit the mod_massmailer table for any suspicious entries.
Affected Version(s)
FOSSBilling >= 0.6.0, < 0.8.0
