CVE-2026-43921

Source
https://cve.org/CVERecord?id=CVE-2026-43921
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43921.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43921
Aliases
  • GHSA-v4j9-w6pj-38w5
Published
2026-07-06T21:38:49.078Z
Modified
2026-07-09T03:51:53.546657162Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
FOSSBilling vulnerable to arbitrary PHP code injection via unescaped config serialization
Details

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's Config::prettyPrintArrayToPHP() method. When configuration values are updated, string values are written into config.php without escaping single quotes. Because config.php is loaded via a bare include on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. Version 0.8.0 contains a patch. Some workarounds are available. Restrict admin access to trusted personnel only; audit config.php for unexpected PHP code; and/ or at the reverse proxy/WAF level, restrict access to admin API endpoints that modify configuration.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43921.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/fossbilling/fossbilling

Affected ranges

Type
GIT
Repo
https://github.com/fossbilling/fossbilling
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0.6.10"
        },
        {
            "fixed": "0.8.0"
        },
        {
            "fixed": "0.7.2"
        }
    ]
}

Affected versions

0.*
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.6.16
0.6.17
0.6.18
0.6.19
0.6.20
0.6.21
0.6.22
0.7.0
0.7.1
0.7.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43921.json"