CVE-2026-40495
Description
FOSSBilling versions prior to 0.8.0 leak the system version via asset URLs, aiding attackers in identifying vulnerabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FOSSBilling versions prior to 0.8.0 leak the system version via asset URLs, aiding attackers in identifying vulnerabilities.
Vulnerability
FOSSBilling versions 0.1.0 through 0.7.2 leak the exact system version through asset cache buster parameters in HTML output. This occurs in the script_tag and stylesheet_tag Twig filters, which embed the FOSSBilling version in the query string of ` and tags, bypassing the hide_version_public` security setting [2].
Exploitation
An attacker, including unauthenticated guests, can view the FOSSBilling version on any page by inspecting the source code or network requests. The version is appended as a query parameter to script and stylesheet URLs, regardless of the hide_version_public setting's configuration [2].
Impact
Knowledge of the exact FOSSBilling version allows attackers to more easily identify and target specific vulnerabilities applicable to the installation. While not a direct vulnerability, this information leak facilitates reconnaissance and undermines the intended privacy protection of the hide_version_public setting [2].
Mitigation
FOSSBilling version 0.8.0, released on 2026-05-28, addresses this vulnerability [1, 2]. There is no practical workaround to remove the version from asset URLs without modifying the source code. Users should upgrade to version 0.8.0 or later as soon as possible [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The FOSSBilling version is unconditionally embedded in asset URLs, bypassing a security setting."
Attack vector
An unauthenticated visitor can view the FOSSBilling system version by inspecting the HTML source code of any page. The version is appended as a query parameter to `<script>` and `<link>` tags generated by the `script_tag` and `stylesheet_tag` Twig filters. This information is exposed regardless of the `hide_version_public` setting's configuration [ref_id=1]. Knowledge of the exact version facilitates targeted exploit development.
Affected code
The vulnerability resides within the `twig_script_tag()` / `scriptTag()` and `twig_stylesheet_tag()` / `stylesheetTag()` Twig filter methods. These methods append the FOSSBilling version to script and link tags, respectively, without respecting the `hide_version_public` setting [ref_id=1]. This occurs during the inclusion of JavaScript and CSS assets via layout files like `layout_default.html.twig` and `layout_public.html.twig` [ref_id=1].
What the fix does
Version 0.8.0 includes a patch that modifies the `script_tag` and `stylesheet_tag` Twig filters. These filters now correctly check the `hide_version_public` setting before appending the version information to asset URLs. This ensures that the system version is not exposed to the public when the setting is enabled, as intended [ref_id=1].
Preconditions
- configThe FOSSBilling system must be installed and accessible.
- authNo authentication is required; the version is exposed to all visitors, including unauthenticated guests [ref_id=1].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.