FOSSBilling: One Missing throw - From Auth Bypass to Unauthenticated RCE
A missing throw keyword in FOSSBilling's API router exposes the entire admin surface to unauthenticated attackers. Combined with an unsandboxed Twig SSTI that leaks the full DI container, this leads to arbitrary SQL execution, admin takeover, and unauthenticated RCE via malicious extension installation.
CVERCEAuth Bypass