A significant vulnerability has been uncovered in FOSSBilling, identified as CVE-2026-28496, which poses serious risks of full database compromise and remote code execution (RCE). This critical flaw has already shown signs of being actively exploited shortly after it was made public. Security analysts and researchers are sounding alarms about the implications of this vulnerability, calling it a severe threat to systems utilizing this software.
The specifics of the vulnerability were formalized in a GitHub advisory, proving its relevance to all FOSSBilling versions up to and including 0.7.2. Importantly, the issue has been patched in version 0.8.0, urging all users to upgrade immediately to mitigate risks.
The root cause of this vulnerability resides in the unsafe rendering of Twig templates. Researchers have pointed out that user-controlled inputs are processed without adequate sandbox restrictions, creating a pathway for attackers to execute arbitrary expressions within the application. This oversight manifests itself in various components of the FOSSBilling template rendering pipeline, particularly the renderString() method, which leverages Twig’s createTemplate() function but fails to impose a necessary sandbox environment.
This inadequacy enables both administrative users and unauthenticated attackers—especially when combined with an existing authentication bypass vulnerability (identified as GHSA-78×5-c8gw-8279)—to inject dangerous template code. These injections can occur through functionalities such as email templates, mass mail campaigns, custom payment adapters, and even an API endpoint known as string_render.
Due to the enabled StringLoaderExtension in Twig and a lack of restrictions, malicious actors can gain access to the entire application context. This context includes sensitive API objects and backend services, thereby amplifying the threat posed by the vulnerability. Additionally, the internal dependency injection (DI) container is exposed through the getDi() method on API handler objects, which provides attackers with the potential to execute direct interactions with key services, such as performing unrestricted SQL queries via PDO, manipulating caches through Symfony’s FilesystemAdapter, and accessing session handlers as well as password management services.
Attackers might exploit this scenario to bypass application-level security measures, leading to actions like arbitrary read/write operations on the database, session hijacking, and even creating unauthorized administrative accounts. With these capabilities, there exists the possibility for attackers to access sensitive information, including client data, company configurations, and staff password hashes.
Security experts warn that the danger extends further when the vulnerability is exploited through custom payment gateway functionality. Malicious templates can be rendered and returned to end users, paving the way for client-side attacks, such as stored cross-site scripting (XSS) threats in addition to backend compromises. This broadens the attack surface considerably, particularly within shared hosting or Software as a Service (SaaS) billing environments, where interaction with clients is frequent.
Notably, threat intelligence shared by DefusedCyber reported an uptick in efforts to exploit this vulnerability within a mere 24 hours after its disclosure. This is significant, given there was no publicly available proof-of-concept exploit to aid attackers. The observed activity, particularly traffic from a specific IP address (160.30.209.77), points to a potentially targeted campaign rather than widespread automated attempts to exploit the flaw. Such rapid weaponization highlights the flaw’s critical nature and the possibility of private exploit development in the hacking community.
The vulnerability has been given a CVSS v4 score of 9.4, indicating a substantial threat to confidentiality, integrity, and availability. While a standalone exploitation would generally necessitate administrative privileges, chaining it with the authentication bypass flaw allows unauthenticated attackers to achieve complete RCE, thus elevating the severity of the risk.
In light of these developments, security teams are urged to take immediate action by upgrading to FOSSBilling version 0.8.0 and conducting comprehensive audits of all existing Twig templates for any suspicious expressions. Additional preventative measures include rotating API tokens, restricting access to sensitive API endpoints (/api/system/*) through a Web Application Firewall (WAF) or reverse proxy controls, and monitoring logs for signs of compromise, particularly regarding connections originating from the identified malicious IP.
Given the significant access potential via abuse of the DI container, organizations facing detection of exploit attempts should treat it as a complete system compromise and initiate appropriate incident response strategies without delay. The situation surrounding CVE-2026-28496 serves as a stark reminder of the vulnerabilities present in widely used software systems and the pressing need for continual vigilance and proactive security measures.