Stored XSS Vulnerability in FOSSBilling Client Email History
CVE-2026-53641
4.8MEDIUM
What is CVE-2026-53641?
FOSSBilling, a free and open-source billing and client management system, has a vulnerability affecting versions 0.6.0 through 0.7.2, which allows for stored cross-site scripting (XSS) in the email history views. By rendering HTML content through a JavaScript template literal without appropriate output escaping, an attacker with admin privileges can inject arbitrary JavaScript payloads into client emails. This payload executes in the browser of any client accessing their email history, posing significant security risks. Upgrading to version 0.8.0 remedies this issue, while temporary mitigations include limiting admin access, auditing email content, and monitoring unusual behavior in client accounts.
Affected Version(s)
FOSSBilling >= 0.6.0, < 0.8.0
