Authenticated Command Injection and Arbitrary PHP Code Execution in FreePBX Security-Reporting Modules

72% confidence

Description

Multiple vulnerabilities in FreePBX Security-Reporting modules including an authenticated command injection in the UCP interface and arbitrary PHP code execution via unsafe file inclusion in the Superfecta module.

Affected Products

Vendor	Product	Versions
sangoma technologies	freepbx security-reporting modules	FreePBX Security-Reporting ucp (FreePBX 16) versions prior to 0.39, FreePBX Security-Reporting ucp (FreePBX 17) versions prior to 0.7, FreePBX Security-Reporting superfecta (FreePBX 16) versions prior to 16.0.40, FreePBX Security-Reporting superfecta (FreePBX 17) versions prior to 17.0.7

Related News (1 articles)

Tier B

CCCS Canada2d ago

FreePBX security advisory (AV26–596)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

0.39 for ucp FreePBX 160.7 for ucp FreePBX 1716.0.40 for superfecta FreePBX 1617.0.7 for superfecta FreePBX 17

CWECWE-77, CWE-94

PublishedJun 12, 2026

Last enriched2d ago

Authenticated Command Injection and Arbitrary PHP Code Execution in FreePBX Security-Reporting Modules

Description

Affected Products

Related News (1 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline