PT-2026-56028 · Unknown · Fossbilling
Dilipmallavarapu
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-43921
CVSS v4.0
8.9
High
| Vector | AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
FOSSBilling versions 0.6.10 through 0.7.2
Description
An issue exists in the
Config::prettyPrintArrayToPHP() method where string values are written into the config.php file without escaping single quotes during configuration updates. Since config.php is loaded via a bare include on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request.Recommendations
Update to version 0.8.0.
Restrict admin access to trusted personnel only.
Audit
config.php for unexpected PHP code.
Restrict access to admin API endpoints that modify configuration at the reverse proxy or WAF level.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fossbilling