PHP Code Injection Vulnerability in FOSSBilling by FOSSBilling
CVE-2026-43921

8.9HIGH

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43921?

FOSSBilling, a free and open-source billing and client management system, has a vulnerability allowing PHP code injection through its Config::prettyPrintArrayToPHP() method. When updates are made to configuration values, string values are improperly written into config.php, lacking necessary escape for single quotes. Because config.php is included on every HTTP request, an attacker with admin access can execute arbitrary PHP code through these unescaped inputs. A patch is included in version 0.8.0, and it is advised to limit admin access, audit config.php for unauthorized code, and implement restrictions at the reverse proxy or WAF level to safeguard admin API endpoints that modify critical configurations.

Affected Version(s)

FOSSBilling >= 0.6.10, < 0.8.0

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.