CVE-2026-43921 - CERT CVE
ID CVE-2026-43921
Sažetak FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated, string values are written into `config.php` without escaping single quotes. Because `config.php` is loaded via a bare `include` on every HTTP request, an attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. Version 0.8.0 contains a patch. Some workarounds are available. Restrict admin access to trusted personnel only; audit `config.php` for unexpected PHP code; and/ or at the reverse proxy/WAF level, restrict access to admin API endpoints that modify configuration.
Reference
CVSS
Base: 0.0
Impact: None
Exploitability:None
Pristup
VektorSloženostAutentikacija
None None None
Impact
PovjerljivostCjelovitostDostupnost
None None None
CVSS vektor None
Zadnje važnije ažuriranje 06-07-2026 - 22:16
Objavljeno 06-07-2026 - 22:16