Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
AnalysisAI
SQL injection in FreePBX CDR Reports module prior to versions 16.0.50 and 17.0.11 allows authenticated users with CDR section access to execute arbitrary SQL queries via the order and sort POST parameters. The flaw requires a valid Administration Control Panel account but not full administrator privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV. The CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact against the call detail records database.
Technical ContextAI
FreePBX is a widely deployed open-source web-based GUI that manages the Asterisk PBX telephony platform, and the affected component is its security-reporting / CDR Reports module which surfaces Call Detail Records via a PHP web interface backed by MySQL/MariaDB. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the order and sort POST parameters used to control result ordering in the CDR report page are concatenated into SQL queries without parameterization or strict allow-list validation, which is the classic anti-pattern for ORDER BY clauses where prepared statement placeholders cannot bind identifiers. The CPE cpe:2.3:a:freepbx:security-reporting confirms the vulnerable component is the security-reporting module rather than the FreePBX core framework.
RemediationAI
Vendor-released patch: upgrade to FreePBX security-reporting module version 16.0.50 (16.x branch) or 17.0.11 (17.x branch) as documented in GHSA-p9fq-fmpw-2h9x at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x, applied via the FreePBX Module Admin updater. Until the upgrade is deployed, compensating controls include restricting which administrative roles are granted CDR section access in the User Management module (removes the privilege required for exploitation but blocks legitimate CDR reporting for those users), placing the FreePBX Administration Control Panel behind a VPN or IP allow-list at the web server / firewall layer (reduces attacker reachability of the admin UI but breaks remote admin from arbitrary networks), and reviewing CDR module web access logs for anomalous order or sort POST values containing SQL metacharacters such as UNION, SLEEP, or comment sequences. Disabling the CDR Reports module entirely is a stronger workaround but eliminates call-record reporting for operators who rely on it.
More in Security Reporting
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33298