Back to overview

CVE-2026-43921

HIGH
8.9
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into `config.php` without escaping single quotes. Because `config.php` is loaded via a bare `include` on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. Version 0.8.0 contains a patch. Some workarounds are available. Restrict admin access to trusted personnel only; audit `config.php` for unexpected PHP code; and/ or at the reverse proxy/WAF level, restrict access to admin API endpoints that modify configuration.

Metadata

CVE ID
CVE-2026-43921
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-04 16:11 UTC
Published
2026-07-06 21:38 UTC
Last updated
2026-07-06 21:38 UTC
Primary CWE
CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

8.9 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.6.10, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.9 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References (1)
Back to overview