CVE-2026-44238
EUVD-2026-3329829.05.2026, 14:16
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| sangoma | freepbx | 𝑥 < 16.0.50 |
| sangoma | freepbx | 17.0 ≤ 𝑥 < 17.0.11 |
𝑥
= Vulnerable software versions