Authenticated SQL Injection and Local File Inclusion Vulnerabilities in FreePBX Security-Reporting Modules

72% confidence

Description

Multiple vulnerabilities were identified in FreePBX Security-Reporting modules including an authenticated SQL Injection via ORDER BY clause in CDR Reports and an authenticated Local File Inclusion in the Dashboard module. These affect FreePBX versions 16 and 17 in specified versions and prior.

Affected Products

Vendor	Product	Versions
sangoma technologies	freepbx	16.0.50 and prior (Security-Reporting cdr), 17.0.11 and prior (Security-Reporting cdr), 16.0.22 and prior (Security-Reporting dashboard), 17.0.5 and prior (Security-Reporting dashboard)

Related News (1 articles)

Tier B

CCCS Canada4h ago

FreePBX security advisory (AV26-484)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-89, CWE-98

PublishedMay 20, 2026

Last enriched4h ago

Authenticated SQL Injection and Local File Inclusion Vulnerabilities in FreePBX Security-Reporting Modules

Description

Affected Products

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline