Skip to main content

Security Reporting

2 CVEs product

Monthly

CVE-2026-44238 HIGH PATCH This Week

SQL injection in FreePBX CDR Reports module prior to versions 16.0.50 and 17.0.11 allows authenticated users with CDR section access to execute arbitrary SQL queries via the order and sort POST parameters. The flaw requires a valid Administration Control Panel account but not full administrator privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV. The CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact against the call detail records database.

SQLi Security Reporting
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-46376 CRITICAL PATCH Act Now

Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.

Authentication Bypass Security Reporting
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in FreePBX CDR Reports module prior to versions 16.0.50 and 17.0.11 allows authenticated users with CDR section access to execute arbitrary SQL queries via the order and sort POST parameters. The flaw requires a valid Administration Control Panel account but not full administrator privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV. The CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact against the call detail records database.

SQLi Security Reporting
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.

Authentication Bypass Security Reporting
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy