A critical server-side template injection (SSTI) vulnerability in FOSSBilling, tracked as CVE-2026-28496, is exposing instances to potential full database compromise and remote code execution (RCE), with early signs of active exploitation appearing shortly after public disclosure.
This flaw is documented under GitHub advisory GHSA-57mv-jm88-66jc and affects all versions up to 0.7.2. It has been patched in version 0.8.0.
FOSSBilling Flaw
Security researchers warn that the vulnerability arises from unsafe Twig template rendering, in which user-controlled input is processed without sandbox restrictions. This oversight allows attackers to execute arbitrary expressions within the application context.
The issue exists in multiple components of the FOSSBilling template rendering pipeline, particularly the `renderString()` method, which uses Twig’s `createTemplate()` without enforcing a sandbox environment.
This insecure setup enables both administrative users and unauthenticated attackers (when combined with an authorization bypass flaw, GHSA-78×5-c8gw-8279) to inject malicious template code via features like email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint.
Due to the enabled StringLoaderExtension in Twig and the lack of restrictions, attackers can access the entire application context, including sensitive API objects and backend services.
The impact is further heightened by the exposure of the internal dependency injection (DI) container, accessible through the `getDi()` method on API handler objects.
By exploiting this container, attackers can interact directly with key services such as PDO for unrestricted SQL queries, Symfony’s FilesystemAdapter for cache manipulation, session handlers, and password services.
This allows them to bypass application-level controls and perform arbitrary read/write operations on the database, hijack sessions, and create rogue administrative accounts. In some scenarios, attackers may also retrieve sensitive data, including client information, company configurations, and even staff password hashes.
Researchers note that when this vulnerability is exploited via the custom payment gateway functionality, malicious templates may be rendered and returned to end users, introducing a client-side attack vector, such as stored cross-site scripting (XSS), in addition to a backend compromise.
This significantly broadens the attack surface, especially in shared hosting or SaaS billing environments where client interaction is common.
Notably, threat intelligence shared by DefusedCyber indicates that attempts to exploit the vulnerability began within 24 hours of disclosure, despite the lack of a publicly released proof-of-concept exploit.
Observed activity includes traffic from the IP address 160.30.209.77 (ASN: AS137552 Terabix), suggesting a targeted campaign rather than widespread automated scanning. This rapid weaponization underscores the critical nature of the flaw and the likelihood of private exploit development.
The vulnerability has been assigned a CVSS v4 score of 9.4, indicating a high impact on confidentiality, integrity, and availability. While standalone exploitation requires administrative privileges, chaining it with the authentication bypass vulnerability removes this requirement, allowing unauthenticated attackers to achieve full RCE.
Security teams are strongly advised to upgrade immediately to FOSSBilling version 0.8.0 and conduct a thorough audit of all existing Twig templates for suspicious expressions.
Additional mitigation steps include rotating API tokens, restricting access to sensitive API endpoints such as /api/system/* via WAF or reverse proxy controls, and reviewing logs for indicators of compromise, particularly connections from the identified malicious IP.
Given the extensive access possible through DI container abuse, organizations should assume that full system compromise has occurred if exploitation is detected and initiate incident response procedures accordingly.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
