A critical Server-Side Template Injection (SSTI) vulnerability in FOSSBilling allows authenticated administrators to execute arbitrary code and compromise the underlying server environment.

The application renders Twig templates without a sandbox, exposing the dependency injection container and internal API context. This vulnerability is triggered via features that process templates, such as email campaigns or the string_render API endpoint, requiring administrative authentication.

With a CVSS score of 9.4, this vulnerability represents a severe threat to the entire hosting environment. Successful exploitation allows an attacker with administrative privileges to achieve remote code execution, leading to full system compromise, database exfiltration, and potential lateral movement across the network.

Immediate Action: Upgrade to FOSSBilling version 0.8.0 or later to implement proper Twig template sandboxing.

Proactive Monitoring: Audit existing email templates and mass mail campaign configurations for suspicious or unauthorized Twig expressions.

Compensating Controls: Restrict access to the /api/system/* endpoints at the Web Application Firewall (WAF) or reverse proxy level to prevent unauthorized interaction with sensitive system functions.

Public Exploit Available: Unknown

This vulnerability is highly severe for administrative users. Organizations must update to version 0.8.0 immediately and perform a full audit of all custom templates and API usage to ensure that no malicious payloads have been previously injected.