FOSSBilling Template Injection Flaw Exploited in the Wild

TL;DR

A critical FOSSBilling template injection flaw, CVE-2026-28496, carries a CVSS score of 9.4. Attackers can read sensitive data and run code on the host. One researcher already spotted exploitation attempts in the wild.

Why It Matters

FOSSBilling stores client records, payment details, and staff credentials. Therefore, a single flaw here exposes a billing platform’s most sensitive data. Worse, the bug can escalate to full remote code execution.

When chained with an authorization bypass (GHSA-78×5-c8gw-8279), no login is needed. As a result, unauthenticated attackers can reach the same vulnerable code path.

How the Attack Works

The problem lives in FOSSBilling’s Twig template rendering. The application renders templates without a sandbox. Consequently, an attacker with template access can inject arbitrary Twig expressions.

These templates expose API globals and a getDi() method. That method returns the full dependency injection container. From there, an attacker reaches the database, cache, and password services. This chain turns information disclosure into remote code execution.

Affected Versions

The FOSSBilling template injection issue affects versions 0.1.0 through 0.7.2. In short, every release to date is vulnerable. The project’s official security advisory lists the affected components.

Exploitation Status

On June 24, a researcher observed exploitation in the wild from the IP address 160.30.209[.]77 (AS137552 Terabix). The advisory went public only days earlier. So defenders had a narrow window before the first probes landed.

However, no public proof-of-concept has been released yet. The flaw also does not yet appear in major known-exploited catalogs. Still, the actor avoids common honeypots, which points to a targeted campaign. Security firm VulnCheck separately confirmed the unauthenticated RCE chain against default installs.

Patch and Mitigation

Update to FOSSBilling 0.8.0 right away, since it fixes the flaw. If you cannot patch now, take these steps instead:

• Audit email templates for suspicious Twig expressions.
• Rotate all admin and client API tokens.
• Block external access to /api/system/* at your reverse proxy or WAF.

Finally, search your logs for the attacker IP above.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.