Skip to main content

Sangoma Switchvox EUVDEUVD-2026-45203

| CVE-2026-9585 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-17 SRA GHSA-34c9-mcf5-3rp3
8.6
CVSS 4.0 · Vendor: SRA
Share

Severity by source

Vendor (SRA) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Unauthenticated network reflected XSS requiring a victim click (UI:R), running in the browser with scope change (S:C) and limited confidentiality/integrity impact; no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (SRA).

CVSS VectorVendor: SRA

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 17, 2026 - 18:33 EUVD
Analysis Generated
Jul 17, 2026 - 16:45 vuln.today
CVE Published
Jul 17, 2026 - 15:56 cve.org
HIGH 8.6

DescriptionCVE.org

An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 (104997). The application fails to properly sanitize the portal parameter supplied to the invalid_browser and invalid_browser_login handlers. User-supplied data is reflected into JavaScript generated by the application, allowing attacker-controlled script execution within a victim's browser.

AnalysisAI

Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with malicious portal parameter
Delivery
Phish victim to invalid_browser handler
Exploit
Payload reflected into portal JavaScript
Execution
Script executes in victim browser
Impact
Steal session or harvest credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to reach the Switchvox SMB Edition 8.3 web portal's invalid_browser or invalid_browser_login handlers over the network and to supply a crafted 'portal' parameter; no authentication is needed (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:P, indicating network-reachable, low-complexity, unauthenticated exploitation that requires victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target Switchvox portal's invalid_browser (or invalid_browser_login) handler with a malicious 'portal' parameter carrying JavaScript, then delivers it to a Switchvox user via phishing email or chat. When the victim clicks the link, the injected script runs in their browser in the context of the Switchvox portal, enabling session-token theft, credential harvesting via a fake login prompt, or actions performed as the user. …
Remediation Vendor-released patch: upgrade to Switchvox SMB Edition 8.4.0.2 (released July 14, 2026), per the release notes at https://sangomakb.atlassian.net/wiki/spaces/Switchvox/pages/1802371073/Switchvox+-+Release+Notes+Version+8.4.0.2+July+14+2026. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Sangoma Switchvox SMB Edition 8.3 (build 104997) instances and immediately notify users to avoid links containing 'portal' parameters from untrusted sources; enable strict Content Security Policy headers on all endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy