PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43921 FOSSBilling CVE debrief

CVE-2026-43921 is a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. Versions 0.6.10 through 0.7.2 are affected. An attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. This could lead to unauthorized code execution, data breaches, or system compromise. Version 0.8.0 contains a patch. Some workarounds are available, including restricting admin access and monitoring for unexpected PHP code. The vulnerability allows for potential system compromise if exploited.

Vendor
FOSSBilling
Product
Unknown
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Administrators and users of FOSSBilling versions 0.6.10 through 0.7.2 should apply the patch in version 0.8.0 or implement workarounds to restrict admin access and monitor for unexpected PHP code. Security teams should review the vulnerability and assess potential impact on their environments. This includes verifying affected deployments and reviewing official advisories for specific guidance.

Technical summary

The vulnerability exists in FOSSBilling's `Config::prettyPrintArrayToPHP()` method, where string values are written into `config.php` without escaping single quotes. This allows an attacker with admin privileges to inject arbitrary PHP code that executes on every subsequent request, potentially leading to system compromise or data breaches. The affected versions are 0.6.10 through 0.7.2, and version 0.8.0 contains a patch. The vulnerability could lead to unauthorized code execution, data breaches, or system compromise.

Defensive priority

High

Recommended defensive actions

  • Apply the patch in version 0.8.0
  • Restrict admin access to trusted personnel only
  • Audit `config.php` for unexpected PHP code
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems
  • Track exceptions and retest remediated assets
  • Verify affected deployments exist in managed environments

Evidence notes

The CVE record was published on 2026-07-06T22:16:49.837Z and was last modified on 2026-07-07T15:16:47.073Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance. The information provided is based on available data and may require further verification.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:49.837Z and has not been modified since then. The NVD entry is currently Deferred.