PatchSiren cyber security CVE debrief
CVE-2026-33734 FOSSBilling CVE debrief
CVE-2026-33734 is a SQL injection vulnerability in the `Massmailer` module filter functionality of FOSSBilling versions 0.6.0 through 0.7.2. An authenticated administrator can supply crafted filter values when updating a mass email message, causing untrusted input to be interpolated directly into SQL in the recipient selection query. The vulnerability was patched in version 0.8.0. Some workarounds are available, including restricting administrator access to trusted users only, disabling the `Massmailer` module if it is not required, auditing existing records in the `mod_massmailer` table for suspicious filter values, and reviewing administrator activity related to `Massmailer` message updates. This vulnerability has a CVSS score of 6.9 and a severity rating of MEDIUM.
- Vendor
- FOSSBilling
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of FOSSBilling versions 0.6.0 through 0.7.2 should be aware of this SQL injection vulnerability and take necessary actions to mitigate the risk. This includes updating to version 0.8.0 or applying the recommended workarounds. Operators, security teams, and platform administrators managing FOSSBilling deployments need to assess exposure and prioritize remediation.
Technical summary
The SQL injection vulnerability in FOSSBilling's `Massmailer` module allows an authenticated administrator to inject malicious SQL code when updating a mass email message. This can lead to unauthorized access and manipulation of sensitive data. The vulnerability has a CVSS score of 6.9 and a severity rating of MEDIUM. Affected versions are 0.6.0 through 0.7.2, patched in version 0.8.0. To mitigate the risk, administrators should update to version 0.8.0 or apply the recommended workarounds, including restricting administrator access to trusted users only, disabling the `Massmailer` module if it is not required, auditing existing records in the `mod_massmailer` table for suspicious filter values, and reviewing administrator activity related to `Massmailer` message updates. Additionally, defenders should verify product versions, patch status, and exposed deployments to ensure the vulnerability is properly addressed.
Defensive priority
High
Recommended defensive actions
- Update FOSSBilling to version 0.8.0 or later
- Restrict administrator access to trusted users only
- Disable the `Massmailer` module if it is not required
- Audit existing records in the `mod_massmailer` table for suspicious filter values
- Review administrator activity related to `Massmailer` message updates
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
Evidence notes
The CVE record was published on 2026-07-06T21:16:55.227Z and last modified on 2026-07-07T15:16:43.627Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify product versions, patch status, and exposed deployments.
Official resources
-
CVE-2026-33734 CVE record
CVE.org
-
CVE-2026-33734 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.227Z and has not been modified since then. The NVD entry is currently Deferred.