Critical SSTI Vulnerability in FOSSBilling Exposes Databases to RCE Attacks

A critical server-side template injection (SSTI) vulnerability in FOSSBilling, tracked as CVE-2026-28496, was disclosed on June 23, 2026. This flaw affects all versions up to 0.7.2 and allows attackers to exploit unsafe Twig template rendering, leading to full database compromise and remote code execution (RCE). The vulnerability can be exploited by both administrative users and unauthenticated attackers, particularly through features like email templates and the `string_render` API endpoint. The internal dependency injection (DI) container is also exposed, enabling attackers to perform arbitrary read/write operations on the database and hijack sessions. Threat intelligence indicates that exploitation attempts began within 24 hours of disclosure, highlighting the urgency of the situation. The flaw has a CVSS v4 score of 9.4, indicating a high impact on confidentiality, integrity, and availability. A patch was released in version 0.8.0, but the risk remains significant due to ongoing exploitation attempts.

Key Points: • CVE-2026-28496 exposes FOSSBilling to RCE and database compromise. • Exploitation attempts began within 24 hours of the vulnerability's disclosure. • The flaw affects all versions up to 0.7.2 and has been patched in version 0.8.0.