CVE-2026-40495

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hide version public security setting. The FOSSBilling version is embedded in the query string of every <script> and <link> tag generated by the script tag and stylesheet tag Twig filters. This information is visible to all visitors — including unauthenticated guests — on every page, regardless of whether the hide version public setting is enabled. The X-FOSSBilling-Version HTTP header and the guest.system.version API endpoint correctly honour the hide version public setting, but the asset cache buster parameters were overlooked. Knowledge of the exact FOSSBilling version makes it significantly easier for malicious actors to identify known vulnerabilities applicable to a given installation and craft targeted exploits. While not a direct vulnerability on its own, it undermines the intended protection offered by the hide version public setting and facilitates reconnaissance. Version 0.8.0 contains a patch. There is no practical workaround that removes the version from asset URLs without modifying source code.