Skip to main content

API

1 CVEs product

Monthly

CVE-2026-40520 HIGH PATCH This Week

Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.

Command Injection API
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.

Command Injection API
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy