PHP Code Injection Vulnerability in FOSSBilling by FOSSBilling
CVE-2026-43921
8.9HIGH
What is CVE-2026-43921?
FOSSBilling, a free and open-source billing and client management system, has a vulnerability allowing PHP code injection through its Config::prettyPrintArrayToPHP() method. When updates are made to configuration values, string values are improperly written into config.php, lacking necessary escape for single quotes. Because config.php is included on every HTTP request, an attacker with admin access can execute arbitrary PHP code through these unescaped inputs. A patch is included in version 0.8.0, and it is advised to limit admin access, audit config.php for unauthorized code, and implement restrictions at the reverse proxy or WAF level to safeguard admin API endpoints that modify critical configurations.
Affected Version(s)
FOSSBilling >= 0.6.10, < 0.8.0
