Unrated

Unsandboxed Twig SSTI in FOSSBilling

IdentifiersCVE-2026-28496CWE-1336

CVE-2026-28496 is a server-side template injection vulnerability in FOSSBilling's Twig template rendering system affecting versions prior to 0.8.0. Twig templates were rendered without a sandbox, exposing the full Twig environment, API context, and the application's dependency injection container. In practice, an attacker able to supply Twig expressions through template-rendering features such as email templates, mass mail campaigns, custom payment adapters, or the string_render API endpoint can execute arbitrary Twig expressions. The exposed context includes an Api_Handler object implementing InjectionAwareInterface; its getDi() method returns the full Pimple DI container, enabling access to sensitive services such as database, cache, session, authentication, password hashing, extension management, and updater components. This can result in information disclosure and, depending on reachable services and chaining, remote code execution. The issue was fixed in FOSSBilling 0.8.0 by replacing the unsafe renderer with a sandboxed Twig renderer backed by a Twig SecurityPolicy.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to evaluate arbitrary Twig expressions in the application context. This can expose sensitive application data and internal services, including database access, API context, sessions, authentication material, and secrets stored in the platform. Through DI container access, an attacker may read administrator email addresses and password hashes, extract customer PII, payment processor credentials, invoices, transactions, hosting control panel credentials, sessions, and API tokens. In demonstrated chaining scenarios, the flaw can be leveraged to write to the database, create administrator accounts, poison cache entries used by the extension installer, install attacker-controlled modules, and achieve remote code execution as the web server user.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by auditing existing email templates and other Twig-rendered content for suspicious expressions, rotating all admin and client API tokens, and blocking external access to /api/system/* at the reverse proxy or WAF to reduce chaining risk with GHSA-78x5-c8gw-8279 / CVE-2026-27604. Restrict access to administrative features that can render Twig templates, review installed custom payment adapters and modules, and monitor for unexpected extension installation activity or template changes.

Remediation

Patch, then assume compromise.

Upgrade FOSSBilling to version 0.8.0 or later. The vendor patch replaces the unsafe string_render behavior with a sandboxed Twig renderer enforced by a Twig SecurityPolicy. Because exploitation may expose credentials and tokens, administrators should also audit existing templates and related rendered content for malicious Twig expressions, review for unauthorized administrator creation or module installation, and rotate all admin and client API tokens after patching.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cvefeed high severityNews

Jun 23, 2026

CVE-2026-28496 - FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

A critical server-side template injection vulnerability in FOSSBilling's Twig template rendering that can allow information disclosure and remote code execution in versions prior to 0.8.0.

vulncheck blogNews

Apr 1, 2026

CVE-2026-28496 - FOSSBilling Auth Bypass and Twig SSTI to Unauthenticated RCE | Blog | VulnCheck

An unsandboxed Twig server-side template injection vulnerability in FOSSBilling's string_render functionality that exposes the DI container and can be escalated to remote code execution, especially when chained with the auth bypass.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-28496

NVD

nvd.nist.gov/vuln/detail/CVE-2026-28496

MITRE CWE · CWE-1336

cwe.mitre.org