Skip to main content

Switchvox Smb Edition

4 CVEs product

Monthly

CVE-2026-9588 HIGH PATCH This Week

Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persistent JavaScript through the voicemail notification template feature, which then executes in the browsers of other users who view the affected template. The payload is submitted via the template_text parameter to the submit_modify_voicemail_template endpoint, which fails to sanitize HTML. No public exploit identified at time of analysis, though the flaw was disclosed with a technical writeup by researchers at SRA; it is not listed in CISA KEV.

XSS Switchvox Smb Edition
NVD
CVSS 4.0
7.0
CVE-2026-9587 HIGH PATCH This Week

Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensitive files anywhere on the appliance filesystem. The play_file functionality trusts the user-controlled sound_path parameter and fails to validate paths, so supplying an absolute path escapes the intended sound directory. No public exploit code is identified, but a detailed technical write-up from the reporting researchers (SRA) exists, and the flaw is not listed in CISA KEV.

Information Disclosure Switchvox Smb Edition
NVD GitHub
CVSS 4.0
7.1
CVE-2026-9586 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).

RCE SQLi PostgreSQL Switchvox Smb Edition
NVD
CVSS 4.0
9.3
CVE-2026-9585 HIGH PATCH This Week

Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. No public exploit is identified at time of analysis, though the reporting researcher (SRA) has published a technical writeup, and no evidence of active exploitation exists.

XSS Switchvox Smb Edition
NVD
CVSS 4.0
8.6
CVSS 7.0
HIGH PATCH This Week

Stored cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an authenticated user inject persistent JavaScript through the voicemail notification template feature, which then executes in the browsers of other users who view the affected template. The payload is submitted via the template_text parameter to the submit_modify_voicemail_template endpoint, which fails to sanitize HTML. No public exploit identified at time of analysis, though the flaw was disclosed with a technical writeup by researchers at SRA; it is not listed in CISA KEV.

XSS Switchvox Smb Edition
NVD
CVSS 7.1
HIGH PATCH This Week

Arbitrary file read in Sangoma Switchvox SMB Edition 8.3 (build 104997) allows an authenticated user to disclose sensitive files anywhere on the appliance filesystem. The play_file functionality trusts the user-controlled sound_path parameter and fails to validate paths, so supplying an absolute path escapes the intended sound directory. No public exploit code is identified, but a detailed technical write-up from the reporting researchers (SRA) exists, and the flaw is not listed in CISA KEV.

Information Disclosure Switchvox Smb Edition
NVD GitHub
CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).

RCE SQLi PostgreSQL +1
NVD
CVSS 8.6
HIGH PATCH This Week

Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. No public exploit is identified at time of analysis, though the reporting researcher (SRA) has published a technical writeup, and no evidence of active exploitation exists.

XSS Switchvox Smb Edition
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy