CVE-2026-28496: Critical SSTI Vulnerability in FOSSBilling Poses Imminent Risk of RCE and Database Compromise
A high-severity Server-Side Template Injection (SSTI) vulnerability has been identified in FOSSBilling, tracked as CVE-2026-28496. This flaw allows for potential Remote Code Execution (RCE) and full database exfiltration. Alarmingly, threat intelligence suggests that active exploitation attempts began almost immediately following the public disclosure of the vulnerability.
The flaw impacts all versions of FOSSBilling up to and including 0.7.2. Users are urged to upgrade to version 0.8.0 immediately to remediate the issue.
Technical Deep Dive: The Mechanics of the Injection
At its core, the vulnerability stems from the unsafe implementation of the Twig templating engine. Specifically, the application’s template rendering pipeline fails to enforce a sandbox environment when processing user-supplied input. The primary culprit is the renderString() method, which utilizes Twig’s createTemplate() function without any restricted execution context.
Because the StringLoaderExtension is enabled in the Twig configuration, an attacker can inject malicious expressions that the engine treats as legitimate logic. This vulnerability is particularly dangerous because it can be triggered through multiple entry points, including:
- Email template configurations and mass mailing campaigns.
- Custom payment adapter definitions.
- The
string_renderAPI endpoint.
While the SSTI itself typically requires administrative privileges, security researchers have noted that it can be chained with a previously identified authentication bypass vulnerability. This combination allows unauthenticated, remote attackers to achieve full system takeover.
Escalating Privileges via Dependency Injection (DI) Abuse
What elevates this from a standard template injection to a catastrophic system compromise is the exposure of the internal Dependency Injection (DI) container. By leveraging the getDi() method available on API handler objects, an attacker can traverse the application’s service layer to interact directly with core backend components.
Once access to the DI container is gained, an attacker can manipulate high-privilege services such as:
- PDO (PHP Data Objects): Facilitating unrestricted SQL queries for data theft or manipulation.
- Symfony FilesystemAdapter: Allowing for unauthorized cache manipulation and file system writes.
- Session and Password Services: Enabling session hijacking and the creation of rogue administrative accounts.
Furthermore, when the injection is performed via custom payment gateways, the malicious payload may be rendered back to end-users, effectively introducing a secondary Stored Cross-Site Scripting (XSS) vector, expanding the attack surface to the client side.
Real-World Exploitation and Threat Intelligence
The urgency of this flaw is validated by reports from DefusedCyber, which observed exploitation attempts within 24 hours of the vulnerability’s disclosure. Notably, these attacks appeared to be targeted rather than random automated scans, evidenced by traffic originating from specific infrastructure (e.g., IP 160.30.209.77 / ASN: AS137552 Terabix).
🚨 Yesterday we observed CVE-2026-28496 (FOSSBilling Template Injection vulnerability CVSS 9.4) being exploited
We do not operate a FOSSBilling honeypot – however, this actor does not appear on other major honeypot platforms making it a potentially targeted campaign.… pic.twitter.com/mB4y4kk3TC
— Defused (@DefusedCyber) June 25, 2026
With a CVSS v4 score of 9.4, the impact on confidentiality, integrity, and availability is near-total.
Recommended Mitigation and Incident Response
If you are running FOSSBilling, immediate action is required. We recommend the following defensive posture:
- Immediate Patching: Update to FOSSBilling v0.8.0 or higher.
- Template Audit: Manually inspect all custom Twig templates for suspicious or obfuscated expressions.
- Endpoint Hardening: Use a Web Application Firewall (WAF) or reverse proxy to restrict access to sensitive API paths, specifically
/api/system/*. - Credential Rotation: As a precaution, rotate all API tokens and sensitive environment variables.
- Forensic Investigation: Check server logs for the identified malicious IP and look for unusual database queries or unauthorized administrative user creation.
Note: Due to the level of access provided by the DI container abuse, any sign of exploitation should be treated as a full system compromise. Organizations should immediately trigger their formal incident response protocols.