Skip to main content

FreePBX EUVDEUVD-2026-33298

| CVE-2026-44238 HIGH
SQL Injection (CWE-89)
2026-05-29 GitHub_M
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 29, 2026 - 15:01 EUVD
Analysis Generated
May 29, 2026 - 14:32 vuln.today
CVSS changed
May 29, 2026 - 14:22 NVD
8.5 (HIGH)

DescriptionGitHub Advisory

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.

AnalysisAI

SQL injection in FreePBX CDR Reports module prior to versions 16.0.50 and 17.0.11 allows authenticated users with CDR section access to execute arbitrary SQL queries via the order and sort POST parameters. The flaw requires a valid Administration Control Panel account but not full administrator privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV. The CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact against the call detail records database.

Technical ContextAI

FreePBX is a widely deployed open-source web-based GUI that manages the Asterisk PBX telephony platform, and the affected component is its security-reporting / CDR Reports module which surfaces Call Detail Records via a PHP web interface backed by MySQL/MariaDB. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the order and sort POST parameters used to control result ordering in the CDR report page are concatenated into SQL queries without parameterization or strict allow-list validation, which is the classic anti-pattern for ORDER BY clauses where prepared statement placeholders cannot bind identifiers. The CPE cpe:2.3:a:freepbx:security-reporting confirms the vulnerable component is the security-reporting module rather than the FreePBX core framework.

RemediationAI

Vendor-released patch: upgrade to FreePBX security-reporting module version 16.0.50 (16.x branch) or 17.0.11 (17.x branch) as documented in GHSA-p9fq-fmpw-2h9x at https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x, applied via the FreePBX Module Admin updater. Until the upgrade is deployed, compensating controls include restricting which administrative roles are granted CDR section access in the User Management module (removes the privilege required for exploitation but blocks legitimate CDR reporting for those users), placing the FreePBX Administration Control Panel behind a VPN or IP allow-list at the web server / firewall layer (reduces attacker reachability of the admin UI but breaks remote admin from arbitrary networks), and reviewing CDR module web access logs for anomalous order or sort POST values containing SQL metacharacters such as UNION, SLEEP, or comment sequences. Disabling the CDR Reports module entirely is a stronger workaround but eliminates call-record reporting for operators who rely on it.

Share

EUVD-2026-33298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy