Sangoma Switchvox CVE-2026-9588
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated user injects stored payload (PR:L) that runs in another user's browser (UI:R, scope change S:C), yielding limited session-level confidentiality and integrity impact.
Primary rating from Vendor (SRA).
CVSS VectorVendor: SRA
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997) within the voicemail notification template functionality. The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users.
AnalysisAI
Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persistent JavaScript through the voicemail notification template feature, which then executes in the browsers of other users who view the affected template. The payload is submitted via the template_text parameter to the submit_modify_voicemail_template endpoint, which fails to sanitize HTML. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Switchvox SMB Edition account with permission to create or modify voicemail notification templates (PR:L), and the injected payload only fires when a second user views the affected template (UI:P), so a victim interaction is mandatory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score is 7.0 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Switchvox user with access to the voicemail template feature submits a template_text value containing a malicious <script> payload to submit_modify_voicemail_template, which is stored on the appliance. When an administrator or another user subsequently opens or previews that voicemail notification template, the script executes in their session, allowing session hijacking or configuration changes in the PBX web interface. … |
| Remediation | Vendor-released patch: upgrade Switchvox SMB Edition to version 8.4.0.2 or later, per the July 14, 2026 release notes (https://sangomakb.atlassian.net/wiki/spaces/Switchvox/pages/1802371073/Switchvox+-+Release+Notes+Version+8.4.0.2+July+14+2026). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Sangoma Switchvox SMB Edition 8.3 (build 104997) installations and immediately restrict administrative access to the voicemail template modification feature; audit existing templates and user access logs for suspicious modifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Switchvox Smb Edition
View allUnauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrar
Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attack
Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensiti
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today