A critical vulnerability (CVE-2026-28496) in FOSSBilling allows for template injection, rated with a CVSS score of 9.4, enabling attackers to access sensitive data and execute remote code. The flaw stems from improper input validation in the application’s Twig template rendering, which does not employ sandboxing. All versions from 0.1.0 to 0.7.2 are affected, with exploitation attempts already observed in the wild.
Users are urged to upgrade to version 0.8.0 to mitigate the risk, and interim measures include auditing email templates and blocking specific external access.