Back to overview

CVE-2026-33734

MEDIUM
6.9
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a SQL injection vulnerability in the `Massmailer` module filter functionality. An authenticated administrator can supply crafted filter values when updating a mass email message, causing untrusted input to be interpolated directly into SQL in the recipient selection query. Version 0.8.0 patches the issue. Some workarounds are available. Restrict administrator access to trusted users only, disable the `Massmailer` module if it is not required, audit existing records in the `mod_massmailer` table for suspicious filter values, and/or review administrator activity related to `Massmailer` message updates.

Metadata

CVE ID
CVE-2026-33734
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-03-23 17:34 UTC
Published
2026-07-06 20:56 UTC
Last updated
2026-07-06 20:56 UTC
Primary CWE
CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.6.0, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References (1)
Back to overview