CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53641

unknowncovered by 1 sourcefirst seen 2026-07-06
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have a stored cross-site scripting (XSS) vulnerability in the client-facing email history views of FOSSBilling. Email HTML content (content_html) is rendered into a JavaScript template literal using the |raw filter, bypassing all output escaping. An attacker with admin access can inject malicious JavaScript payloads into email content that execute in the browser of any client who views their email history. Version 0.8.0 contains a fix. Some workarounds are available. Restrict admin account access, audit email content in the database for suspicious payloads, and/or monitor client accounts for unusual activity.

⚡ Watch CVE-2026-53641

Get an email if CVE-2026-53641 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-53641

CVE.org record

Embed the live status

CVE-2026-53641 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53641 status](https://www.csirts.com/badge/CVE-2026-53641)](https://www.csirts.com/cve/CVE-2026-53641)