Is Freepbx affected by CVE-2026-28284?

FreePBX instances running versions prior to 16.0.10 or 17.0.5 contain authenticated SQL injection vulnerabilities in the logfiles module that could allow attackers with valid credentials to extract sensitive data or modify database records.

CVE-2026-28284

HIGH

2026-03-05 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 05, 2026 - 19:16 nvd

HIGH 8.8

Description

FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.

Analysis

SQL injection in the FreePBX logfiles module allows authenticated attackers to manipulate database queries and potentially extract sensitive data or modify system records. Versions prior to 16.0.10 and 17.0.5 are vulnerable, and attackers with valid FreePBX credentials can exploit this weakness to achieve high-impact unauthorized access to confidential information and system integrity. …

Remediation

Within 24 hours: Inventory all FreePBX deployments and identify those running vulnerable versions (prior to 16.0.10 or 17.0.5); restrict logfiles module access to essential administrative personnel only. Within 7 days: Implement network segmentation to limit FreePBX administrative access to trusted networks; enable enhanced logging and monitoring of database queries; review recent logfiles module access logs for suspicious activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-28284 vulnerability details – vuln.today

Back

CVE-2026-28284

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28284

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code