Back to overview

CVE-2026-53641

MEDIUM
4.8
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (`content_html`) is rendered into a JavaScript template literal using the `|raw` filter, bypassing all output escaping. An attacker with admin access can inject malicious JavaScript payloads into email content that execute in the browser of any client who views their email history. Version 0.8.0 contains a fix. Some workarounds are available. Restrict admin account access, audit email content in the database for suspicious payloads, and/or monitor client accounts for unusual activity.

Metadata

CVE ID
CVE-2026-53641
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 20:16 UTC
Published
2026-07-06 22:36 UTC
Last updated
2026-07-06 22:41 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

4.8 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.6.0, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-838 cna CWE-838: Inappropriate Encoding for Output Context
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.8 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References (1)
Back to overview