PT-2026-56028 · Unknown · Fossbilling

Dilipmallavarapu

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-43921

CVSS v4.0

8.9

High

VectorAV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Name of the Vulnerable Software and Affected Versions FOSSBilling versions 0.6.10 through 0.7.2
Description An issue exists in the Config::prettyPrintArrayToPHP() method where string values are written into the config.php file without escaping single quotes during configuration updates. Since config.php is loaded via a bare include on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request.
Recommendations Update to version 0.8.0. Restrict admin access to trusted personnel only. Audit config.php for unexpected PHP code. Restrict access to admin API endpoints that modify configuration at the reverse proxy or WAF level.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43921

Affected Products

Fossbilling