CVE-2026-43921 in FOSSBillinginfo

Summary

by MITRE • 07/07/2026

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into `config.php` without escaping single quotes. Because `config.php` is loaded via a bare `include` on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. Version 0.8.0 contains a patch. Some workarounds are available. Restrict admin access to trusted personnel only; audit `config.php` for unexpected PHP code; and/ or at the reverse proxy/WAF level, restrict access to admin API endpoints that modify configuration.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The FOSSBilling PHP code injection vulnerability represents a critical security flaw in versions 0.6.10 through 0.7.2 that stems from improper input sanitization within the Config::prettyPrintArrayToPHP() method. This vulnerability operates at the application level and demonstrates a classic improper output escaping weakness that directly impacts the system's configuration management functionality. The flaw occurs when administrative users update configuration values, as the system fails to properly escape single quotes in string values before writing them to the config.php file. This represents a CWE-116 vulnerability category related to improper encoding or escaping of output, specifically manifesting as inadequate sanitization of user-provided data during configuration persistence operations.

The technical exploitation of this vulnerability requires an attacker to already possess administrative privileges within the FOSSBilling system, making it a privilege escalation issue rather than a remote code execution vulnerability. However, the impact remains severe due to the persistent nature of the configuration file and how it's loaded throughout the application lifecycle. The config.php file is included using a bare include statement on every HTTP request, meaning any PHP code injected into this file executes automatically with each request processing. This creates an ideal environment for persistent backdoor execution where malicious code remains active until the configuration file is manually modified or the system is restarted. The vulnerability operates under the ATT&CK framework's T1059.007 technique for command and scripting interpreter, specifically targeting PHP script execution within the application context.

The operational impact of this vulnerability extends beyond simple code injection, as it provides attackers with persistent access to the entire FOSSBilling installation. Once exploited, the injected PHP code executes with the same privileges as the web server process, potentially allowing attackers to access sensitive client data, modify billing records, escalate privileges further within the system, or use the compromised instance as a pivot point for attacking other systems in the network. The vulnerability affects any administrative user who can modify configuration settings, making it particularly dangerous in environments where multiple administrators have access or where administrative credentials are compromised through other attack vectors. This represents a significant risk for businesses relying on FOSSBilling for client management and billing operations.

The remediation approach requires immediate action to upgrade to version 0.8.0 which contains the necessary patch addressing the root cause of the vulnerability. Organizations should implement multiple layers of defense including strict access controls limiting administrative privileges to trusted personnel only, regular auditing of configuration files to detect unexpected PHP code injection, and network-level protections through reverse proxies or web application firewalls that restrict access to admin API endpoints modifying configuration parameters. The patch in version 0.8.0 likely implements proper escaping mechanisms for special characters when writing configuration values, ensuring that single quotes and other potentially dangerous characters are properly encoded before being written to the config.php file. Additionally, implementing automated monitoring solutions that can detect unauthorized modifications to configuration files provides an extra layer of security beyond the immediate technical fix.

Responsible

GitHub M

Reservation

05/04/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!