Security Advisory - Published 2026-06-24 - PHP edge
Caddy, FastCGI, and FOSSBilling: check the PHP edge before patching
This batch matters when PHP applications depend on Caddy routing, FastCGI path splitting, upstream identity headers, or admin-edited templates. Patch the server and app, then review whether uploaded files, templates, or identity headers crossed a trust boundary.
Affected components
| CVE | Product | Affected | Fixed | CVSS |
|---|---|---|---|---|
| CVE-2026-28496 | FOSSBilling | <= 0.7.2 | 0.8.0 | 9.4 |
| CVE-2026-45135 | Caddy | 2.7.0-2.10.2 | 2.11.3 | 8.1 |
| CVE-2026-52845 | Caddy | < 2.11.4 | 2.11.4 | 8.1 |
Owner self-check
caddy version 2>/dev/null || docker exec <caddy-container> caddy version
grep -Rni 'php_fastcgi\\|split_path\\|forward_auth\\|copy_headers' Caddyfile caddy 2>/dev/null
grep -Rni 'fossbilling\\|fossbilling/fossbilling' composer.json composer.lock 2>/dev/null
grep -Rni 'template\\|mass mail\\|payment adapter\\|string_render\\|forward_auth\\|HTTP_' storage logs var/log 2>/dev/null | tail -180
find public uploads storage -type f -mtime -10 2>/dev/null | egrep '\\.php$|\\.phtml$|\\.phar$|\\.tpl$|\\.twig$'What to review
- FOSSBilling email templates, mass mail campaigns, custom payment adapters, API tokens, and administrator sessions.
- Caddy php_fastcgi routes that serve upload directories or file storage through PHP/FastCGI.
- Caddy forward_auth copy_headers values that PHP applications later trust as user, group, or role identity.
- Recent uploaded files, unexpected PHP-like files, template edits, and Caddy/PHP error logs around the exposure window.
Safe fix path
- Upgrade FOSSBilling to 0.8.0 or newer where it is installed.
- Upgrade Caddy to at least 2.11.4 if Caddy fronts PHP/FastCGI applications.
- Block PHP execution in upload and storage directories before reopening public traffic.
- Rotate admin passwords, API tokens, and payment-provider secrets if templates or identity headers look altered.
Repair help
Use Ping7 CVE Repair when billing templates changed, uploaded files reached PHP/FastCGI, or Caddy identity headers need review before production traffic is restored.