FOSSBilling

0.8.0 (2026-05-28)

FOSSBilling 0.8.0 includes fixes for multiple security vulnerabilities, including critical and high-severity issues. Because this is a larger release with potentially breaking changes, we are providing a short upgrade window before publishing the detailed security advisories. Users should review the release notes, back up their installation, and prioritize upgrading to 0.8.0 as soon as possible.

Please review the breaking changes before updating, especially if you maintain custom modules, themes, or API integrations.

⚠️ Potentially Breaking Changes

• FOSSBilling now requires PHP 8.3 or newer. (#3125)
• The guest API routes have been refactored to expose less information publicly. (#3474)
• The public guest system version endpoint has been removed. (#3467)
• Spamchecker has been migrated to the new Antispam module. (#3463)
• Paidsupport and Servicemembership have been removed. (#3066)
• Pagination methods now receive API data directly. Custom integrations using pagination internals may need updates. (#3449)
• Box_Mod has been reworked into FOSSBilling\Module. (#2754)
• The frontend asset build system has moved from Webpack Encore to esbuild, with shared frontend assets refactored into the new frontend/ structure. Custom themes or build integrations may need updates. (#3126, #3625)

🔐 Security

• Added new email permission keys and expanded permission coverage. (#3447, #3396)
• Added missing password strength checks when updating passwords. (#3436)
• Re-enabled verify_peer and verify_host for external services. (#3395)
• The hide_version_public setting is now honored in JSON response headers. (#3394)
• Improved audit logs and removed the ability to delete them from the admin panel. (#3026)
• Added rate limit system improvements. (#3461)
• Hardened session handling, cookie handling, request URL handling, invoice handling, and file upload validation. (#3570, #3511, #3524, #3315)
• Improved validation around payment IPNs, transaction creation, invoice payment handling, and updater database patch handling. (#3159, #3432, #3463, #3607)
• Hardened installer installed-state checks so an existing config.php, even if invalid, blocks the public installer and must be repaired or removed manually before setup can run again. (#3630, #3636)

📈 Enhancements

• The admin UI and dashboard have been refreshed, including improved dashboard cards, charts, forms, tables, pagination, search, and module screens. (#3596, #3581)
• The Update FOSSBilling page has been reworked with separate update and database patch cards, clearer patch warnings, safer preview-build messaging, longer update timeouts, a stay-on-page warning, and a mandatory backup confirmation before updating. (#3607)
• Payment UI, locale settings, and email templates have been improved. (#3575)
• Currency formatting and admin currency handling have been improved, and the Currency module manage settings permission has been restored. (#3539, #3613)
• File-backed email templates have been added. (#3372)
• Domain ordering now supports more control over domain options for hosting products. (#3160)
• Invoice emails and PDFs now include order and product information variables. (#3065)
• The Support module received broader improvements. (#2997)
• The Massmailer and Currency modules have been migrated toward Doctrine-backed implementations. (#3360, #2963)
• FOSSBilling now supports setting a separate “From” identity for emails. (#2900)
• Modules can now be uninstalled through the admin panel. (#2979)
• The installer UI has been refreshed and configuration validation has been improved. (#3629)

➕ New Features

• Added the new Antispam module, including support for Cloudflare Turnstile and hCaptcha. (#3458, #3004)
• Introduced widgets and added new widget spots in the client area. (#2853, #3519)
• Added a Client Dashboard API endpoint. (#3142)
• Added a default country setting. (#2904)
• Added a URL field type with validation. (#3298)
• Introduced the RequiredParams attribute. (#2965)
• Added the onEveryEvent event. (#2918)

🐛 Bug Fixes

• Fixed client profile saving issues and added stronger profile validation. (#3541, #2992)
• Fixed invisible company logos on staff authentication pages. (#3489)
• Fixed CWP integration issues. (#3240)
• Fixed CSS purging paths and missing Bootstrap collapse behavior in Huraga. (#3241, #3226)
• Fixed Tom Select behavior in the admin panel. (#3203)
• Fixed downloadable products. (#2822)
• Fixed duplicate and missing renewals with improved idempotency. (#3345)
• Fixed invoice filtering, invoice numbering, PDF Unicode handling, and invoice template layout issues. (#2898, #3171, #3358)
• Fixed logic issues in SQL WHERE clauses by adding correct grouping. (#3156)
• Fixed a duplicate custom page slug exception issue. (#3612)
• Fixed a semicolon insertion issue in the admin panel. (#3623)
• Fixed several long-standing email, service license, cart, pricing, and template issues. (#3189, #2919, #3468, #3117)

📝 Changes

• Initial Doctrine setup has landed, including the News rewrite. (#2915)
• Replaced direct PDO usage with Doctrine DBAL in more areas, including UpdatePatcher work. (#2964, #3616, #3617, #3622)
• Added database configuration retrieval and driver normalization. (#3605)
• Replaced Gravatar with local avatar generation. (#3208)
• Replaced ramsey/uuid with symfony/uid. (#2917)
• Refactored Twig environments and extensions. (#2752)
• Shared frontend assets and build helpers now live under the new frontend/ structure. (#3625)
• Inline frontend build utilities now live in theme build scripts. (#3276)
• The Wysiwyg module build has moved from Webpack to esbuild. (#2948)
• Legacy tests have been heavily refactored, modernized, and isolated. (#3060, #3144, #3120)

📦 Dependencies

• Updated Stripe PHP to v20.2.
• Updated Twig to v3.27.
• Updated Symfony polyfills to v1.38.
• Updated Doctrine ORM to v3.6.
• Updated PHPUnit to v12.
• Updated PHPStan to v2.2.
• Updated CKEditor 5 to v48.
• Updated DiceBear to v10.
• Updated Bootstrap, Sass, PostCSS, esbuild, Rector, Sentry, php-debugbar, and other frontend/build dependencies.