CVE-2026-28496

Published Jun 23, 2026

Last updated 10 hours ago

CVSS critical 9.4

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-28496 is a Server-Side Template Injection (SSTI) vulnerability found in FOSSBilling, an open-source billing and client management system. This flaw affects all versions of FOSSBilling released prior to 0.8.0. The vulnerability arises from inadequate sandboxing within the Twig template engine, which is used for rendering templates in the system. Administrators who have access to features that render Twig templates, such as email templates, mass mail campaigns, custom payment adapters, or the `string_render` API endpoint, can exploit this vulnerability. By injecting arbitrary Twig expressions, an attacker can achieve information disclosure and remote code execution. The absence of proper template isolation allows these injected expressions to access the full Twig environment, API context, and the application's dependency injection container.

Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279.
Source
security-advisories@github.com
NVD status
Deferred

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.4
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-1336

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

5

  1. My new CVE, CVE-2026-28496 has been published and assigned a CVSS score of 9.4 (Critical). I identified a Server-Side Template Injection (SSTI) vulnerability in the Twig template rendering functionality of FOSSBilling. Advisory: https://t.co/aHh1UTLaGQ

    @canmustdie

    21 Jun 2026

    2190 Impressions

    10 Retweets

    33 Likes

    9 Bookmarks

    2 Replies

    0 Quotes

References

Sources include official advisories and independent security research.