CVE-2026-40495— FOSSBilling version exposed via asset cache buster

FOSSBilling version exposed via asset cache buster

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the `hide_version_public` security setting. The FOSSBilling version is embedded in the query string of every `<script>` and `<link>` tag generated by the `script_tag` and `stylesheet_tag` Twig filters. This information is visible to all visitors — including unauthenticated guests — on every page, regardless of whether the `hide_version_public` setting is enabled. The `X-FOSSBilling-Version` HTTP header and the `guest.system.version` API endpoint correctly honour the `hide_version_public` setting, but the asset cache buster parameters were overlooked. Knowledge of the exact FOSSBilling version makes it significantly easier for malicious actors to identify known vulnerabilities applicable to a given installation and craft targeted exploits. While not a direct vulnerability on its own, it undermines the intended protection offered by the `hide_version_public` setting and facilitates reconnaissance. Version 0.8.0 contains a patch. There is no practical workaround that removes the version from asset URLs without modifying source code.

N/A

信息暴露

FOSSBilling 信息泄露漏洞

FOSSBilling是FOSSBilling开源的一个面向主机服务商和数字服务提供商的计费与客户管理平台。 FOSSBilling 0.8.0之前版本存在信息泄露漏洞，该漏洞源于通过资产缓存破坏参数泄露系统版本，绕过hide_version_public安全设置，可能导致攻击者识别已知漏洞并实施针对性攻击。

N/A

N/A