Skip to main content

Sangoma Switchvox CVE-2026-9586

CRITICAL
SQL Injection (CWE-89)
2026-07-17 SRA
9.3
CVSS 4.0 · Vendor: SRA
Share

Severity by source

Vendor (SRA) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated single-request SQLi over the network with trivial complexity (AV:N/AC:L/PR:N/UI:N); SQL-to-RCE yields full C:H/I:H/A:H on the same appliance, so scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (SRA).

CVSS VectorVendor: SRA

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:47 vuln.today
CVE Published
Jul 17, 2026 - 15:57 cve.org
CRITICAL 9.3

DescriptionCVE.org

An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with <PolycomIPPhone> and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.

AnalysisAI

Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach appliance /pa endpoint
Delivery
Send crafted <PolycomIPPhone> XML with malicious PhoneIP
Exploit
Inject arbitrary SQL into PostgreSQL query
Execution
Escalate SQL access to command execution
Impact
Full database and appliance compromise

Vulnerability AssessmentAI

Exploitation No special authentication is required - the CVSS vector is PR:N/UI:N, confirming unauthenticated exploitation with no user interaction against Switchvox SMB Edition 8.3 (104997). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the appliance's web interface sends a single unauthenticated HTTP request to /pa with an XML body starting <PolycomIPPhone> and a malicious PhoneIP value containing SQL, which is concatenated straight into a PostgreSQL query. With low attack complexity and no authentication or user interaction, the attacker dumps or modifies database contents and pivots the SQL access into command execution on the appliance. …
Remediation Vendor-released patch: upgrade to Sangoma Switchvox SMB Edition 8.4.0.2 (released July 14 2026, per the vendor release notes at https://sangomakb.atlassian.net/wiki/spaces/Switchvox/pages/1802371073/Switchvox+-+Release+Notes+Version+8.4.0.2+July+14+2026), which is the primary fix and should be applied immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and isolate all Sangoma Switchvox SMB Edition systems running version 8.3 (build 104997 or earlier) from untrusted networks; implement firewall rules blocking all external access to the /pa endpoint and restrict administrative access to authorized networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-9586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy