PatchSiren cyber security CVE debrief
CVE-2026-43921 FOSSBilling CVE debrief
CVE-2026-43921 is a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. Versions 0.6.10 through 0.7.2 are affected. An attacker with admin privileges can inject arbitrary PHP code that executes on every subsequent request. This could lead to unauthorized code execution, data breaches, or system compromise. Version 0.8.0 contains a patch. Some workarounds are available, including restricting admin access and monitoring for unexpected PHP code. The vulnerability allows for potential system compromise if exploited.
- Vendor
- FOSSBilling
- Product
- Unknown
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of FOSSBilling versions 0.6.10 through 0.7.2 should apply the patch in version 0.8.0 or implement workarounds to restrict admin access and monitor for unexpected PHP code. Security teams should review the vulnerability and assess potential impact on their environments. This includes verifying affected deployments and reviewing official advisories for specific guidance.
Technical summary
The vulnerability exists in FOSSBilling's `Config::prettyPrintArrayToPHP()` method, where string values are written into `config.php` without escaping single quotes. This allows an attacker with admin privileges to inject arbitrary PHP code that executes on every subsequent request, potentially leading to system compromise or data breaches. The affected versions are 0.6.10 through 0.7.2, and version 0.8.0 contains a patch. The vulnerability could lead to unauthorized code execution, data breaches, or system compromise.
Defensive priority
High
Recommended defensive actions
- Apply the patch in version 0.8.0
- Restrict admin access to trusted personnel only
- Audit `config.php` for unexpected PHP code
- Monitor for suspicious activity
- Review compensating controls for exposed systems
- Track exceptions and retest remediated assets
- Verify affected deployments exist in managed environments
Evidence notes
The CVE record was published on 2026-07-06T22:16:49.837Z and was last modified on 2026-07-07T15:16:47.073Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance. The information provided is based on available data and may require further verification.
Official resources
-
CVE-2026-43921 CVE record
CVE.org
-
CVE-2026-43921 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:49.837Z and has not been modified since then. The NVD entry is currently Deferred.