1. Home
  2. Vulnerabilities
  3. CVE-2026-28496
0.0
NA
CVE-2026-28496
FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE
Overview
Description

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.

Details
INFO

Published Date :

June 23, 2026, 2:20 p.m.

Last Modified :

June 23, 2026, 2:24 p.m.

Remotely Exploit :

No

Source :

GitHub_M
Impact
Affected Products

The following products are affected by CVE-2026-28496 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Update FOSSBilling to version 0.8.0 or later to fix SSTI vulnerability.
  • Update FOSSBilling to version 0.8.0 or later.
  • Audit email templates for suspicious Twig expressions.
  • Rotate all admin and client API tokens.
  • Block external access to /api/system/*.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-28496 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.