External risk intelligence

FOSSBilling SSTI Vulnerability Allows Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-28496

FOSSBilling is a web-based billing and client management application. By design, such systems act as internet-facing platforms for customer interaction, account management, and payment processing, making the web interface and associated API endpoints commonly reachable and accessible from the public internet.

Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a security vulnerability in FOSSBilling, an open-source billing and client management system. The issue allows authorized users to execute arbitrary code by injecting commands into certain template systems, potentially leading to significant information disclosure and system compromise. The primary concern is confirming if our organization utilizes this system and if it is exposed.

  • A flaw allows code injection through template rendering.
  • Leadership should remember this if we use FOSSBilling.
  • Confirm relevance and exposure for this system.

Attack Path

How an attacker could exploit the issue

Attackers with administrative privileges can exploit this vulnerability by manipulating template rendering features, such as email templates or API endpoints, to inject malicious code. This occurs because the system renders Twig templates without proper security measures, allowing unauthorized access to sensitive information and the potential for remote code execution.

  • Administrator access required.
  • Inject code into rendered templates.
  • Leads to information disclosure, RCE.

Live Threat

Current exploitation, exposure, and threat context

Administrators with specific access could allow attackers to execute arbitrary code by injecting malicious expressions into template rendering functions. This could lead to the disclosure of sensitive system or user information due to the vulnerability existing in a system that renders Twig templates without a sandbox, enabling access to the application's full Twig environment and dependency injection container.

  • Sensitive system and user data.
  • Through specially crafted template inputs.
  • Information disclosure and code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

System owners responsible for FOSSBilling instances must first identify all deployments, determine their exposure and criticality, and then assign remediation ownership. Given the potential for information disclosure and remote code execution, prioritizing affected systems and coordinating with the vendor or internal development teams for patching or applying workarounds is essential.

  • Identify affected FOSSBilling instances.
  • Verify external reachability and business impact.
  • Plan remediation with responsible teams.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is FOSSBilling?

FOSSBilling is a free, open-source platform designed for billing and client management. It acts as a central hub for businesses to handle customer interactions, process payments, and manage service accounts. Because it maintains sensitive financial and user data, it typically functions as a web-accessible portal that links directly to backend database and configuration systems.

What does Server-Side Template Injection mean for CVE-2026-28496?

This vulnerability, classified as Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336), occurs because the system renders Twig templates without a sandbox. Normally, a template engine restricts what code can run, but here it allows the server to execute any Twig expression provided by a user. This grants the ability to interact with the underlying application environment, potentially leading to unauthorized data access or the execution of arbitrary system commands.

How can an attacker trigger this vulnerability?

An attacker must have administrative privileges to access features that trigger template rendering, such as email campaign editors or specific API endpoints like `string_render`. Simply visiting the public-facing pages of the billing portal as a standard customer is not sufficient to trigger the flaw. The vulnerability requires the submission of malicious Twig expressions into these specific administrative input fields.

Is my FOSSBilling instance at risk?

According to Halo Surface Signal, FOSSBilling is designed to be an internet-facing platform, making its web interface and API endpoints commonly reachable from the public internet. If your instance is accessible externally, an attacker who gains administrative credentials could exploit this path. Organizations should assess if their deployment is reachable from outside the internal network, as this significantly increases the risk profile.

How do I secure my system against this threat?

The most effective resolution is to upgrade FOSSBilling to version 0.8.0, which includes the necessary template sandboxing. If you cannot update immediately, you should restrict external network access to the `/api/system/*` endpoints using a WAF or reverse proxy. Additionally, conduct an internal audit of all stored email templates to remove suspicious expressions and rotate all existing administrative and client API tokens.

References