Security researchers have sounded the alarm over a critical server-side template injection (SSTI) vulnerability in FOSSBilling tracked as CVE-2026-28496 that can lead to full database compromise and remote code execution (RCE).
The flaw, documented in GitHub advisory GHSA-57mv-jm88-66jc, affects all FOSSBilling releases through 0.7.2 and is patched in 0.8.0; however, early signs show active exploitation beginning within 24 hours of public disclosure, underscoring both the severity and rapid weaponization risk.
At the technical core, the vulnerability stems from unsafe use of Twig template rendering: FOSSBilling’s template pipeline, notably the renderString() method, calls Twig’s createTemplate() without enforcing a sandbox environment.
Critical FOSSBilling SSTI
Because the StringLoaderExtension is enabled and no sandboxing restricts expression evaluation, user-controlled input such as email templates, mass-mail campaign content, custom payment gateway templates, or payloads sent to the string_render API endpoint can contain arbitrary Twig expressions that execute in the application context.
This unsafe configuration exposes the entire application environment to attacker-supplied code, including access to API handler objects that expose a getDi() method.
Abuse of the internal dependency injection (DI) container magnifies impact: attackers able to call getDi() can reach services like PDO for unrestricted SQL queries, Symfony’s FilesystemAdapter for cache and file manipulation, session handlers to hijack or forge sessions, and password utilities that may enable account takeover.
With these primitives, an attacker can read and write database contents, create rogue administrative accounts, harvest client and company configuration data, and in some cases extract staff password hashes yielding a pathway to full system compromise.
While exploitation of the SSTI by itself requires administrative privileges, researchers warn that chaining this issue with an authorization bypass (tracked separately as GHSA-78×5-c8gw-8279) enables unauthenticated attackers to achieve the same destructive outcomes, turning a privileged-only bug into a complete remote takeover vector.
The threat profile further broadens when template rendering occurs in contexts visible to end users. When the custom payment gateway functionality renders attacker-controlled templates back to clients, the vulnerability introduces a stored client-side attack vector such as cross-site scripting (XSS) in addition to backend compromise, a particularly dangerous combination in shared hosting or SaaS billing environments where user interaction is frequent.
Threat intelligence from DefusedCyber indicates exploitation attempts began within a day of disclosure from an IP address identified as 160.30.209.77 (ASN AS137552, Terabix), suggesting targeted campaigns and likely private exploit development rather than only opportunistic scanning.
The vulnerability carries a CVSS v4 score of 9.4, reflecting high impact across confidentiality, integrity, and availability. Immediate actions for security teams are clear: upgrade all FOSSBilling instances to version 0.8.0 without delay and audit every Twig template and template-enabled feature for suspicious expressions or unauthorized changes.
Additional mitigations include rotating API tokens and credentials, restricting access to sensitive API endpoints (for example /api/system/*) using WAF rules or reverse proxy filters, and scanning logs for indicators of compromise such as unexpected connections from the reported IP or anomalous template rendering activity.
Given the depth of access possible through DI container misuse, incident responders should treat confirmed exploitation as a potential full compromise preserve forensic evidence, isolate affected hosts, and execute a coordinated incident response and recovery plan.
Administrators who cannot immediately patch should at minimum disable template-editing features exposed to nontrusted users, apply strict input validation on template fields, and implement temporary WAF rules to block suspicious payload patterns while they upgrade and investigate.
No Comment! Be the first one.