Unrated

Unsandboxed Twig SSTI in FOSSBilling

IdentifiersCVE-2026-28496CWE-1336

CVE-2026-28496 is a server-side template injection vulnerability in FOSSBilling's Twig template rendering system affecting versions prior to 0.8.0. Twig templates rendered through administrator-accessible features—including email templates, mass mail campaigns, custom payment adapters, and the string_render API endpoint—were processed without a sandbox. As a result, an attacker able to supply Twig expressions could access the full Twig environment, the API context, and the application's dependency injection container. The exposed context included an Api_Handler object via the guest global, and Api_Handler::getDi() returned the full Pimple DI container, exposing services such as database access, cache, authentication, session, password hashing, Twig, and extension management. This unsafe rendering path enabled arbitrary Twig expression injection that could be leveraged for sensitive data disclosure and, in practical exploit chains, remote code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to evaluate arbitrary Twig expressions in the application context, exposing sensitive application internals and enabling access to the dependency injection container and backend services. This can result in disclosure of administrator email addresses and password hashes, customer PII, invoices, transactions, payment processor secrets, hosting control panel credentials, sessions, and API tokens. In demonstrated chaining scenarios, the flaw can be used to execute arbitrary SQL, create administrator accounts, poison the Symfony cache used by the extension installer, and ultimately install a malicious module, resulting in remote code execution as the web server user.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, audit existing email templates and other administrator-controlled Twig-rendered content for suspicious Twig expressions, rotate all administrator and client API tokens, and restrict or block external access to /api/system/* at the reverse proxy or WAF to reduce exposure and chaining risk with GHSA-78x5-c8gw-8279 / CVE-2026-27604. These are compensating controls only and do not fully eliminate the underlying SSTI risk in affected versions.

Remediation

Patch, then assume compromise.

Upgrade FOSSBilling to version 0.8.0 or later. The fix replaces the unsafe renderer with a sandboxed Twig renderer backed by a Twig SecurityPolicy and removes the vulnerable unsandboxed template execution path. If the deployment is on an affected branch, prioritize patching because this issue can be chained with the related authentication bypass affecting /api/system/*. After patching, review and clean existing templates and related configuration for malicious Twig payloads that may have been persisted prior to remediation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

cvefeed high severityNews

Jun 23, 2026

CVE-2026-28496 - FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

A critical server-side template injection vulnerability in FOSSBilling's Twig template rendering that can allow information disclosure and remote code execution in versions prior to 0.8.0.

vulncheck blogNews

Apr 1, 2026

CVE-2026-28496 - FOSSBilling Auth Bypass and Twig SSTI to Unauthenticated RCE | Blog | VulnCheck

An unsandboxed Twig server-side template injection vulnerability in FOSSBilling's string_render functionality that exposes the DI container and can be escalated to remote code execution, especially when chained with the auth bypass.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-28496

NVD

nvd.nist.gov/vuln/detail/CVE-2026-28496

MITRE CWE · CWE-1336

cwe.mitre.org