Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4058 articles · 176698 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-44238EXPLOITED
freepbx · security-reporting

FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

Description

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.

Affected Products

VendorProductVersions
freepbxsecurity-reporting< 16.0.50, >= 17.0.1, < 17.0.11

References

  • https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x(x_refsource_CONFIRM)

Related News (1 articles)

Tier C
VulDB49d ago
CVE-2026-44238 | FreePBX up to 16.0.49/17.0.10 CDR Reports sql injection (GHSA-p9fq-fmpw-2h9x)
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-89
PublishedMay 29, 2026
Last enriched49d agov2
Trending Score0
Source articles1
Independent1
Info Completeness7/14
Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALPRE-CVE
Unauthenticated Remote Code Execution in FreePBX UCP via Socket.IO Namespace Auth Bypass and AMI Action Injection
Trending: 30
NONECVE-2026-44237
FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module
NONECVE-2026-26978EXP
Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php
NONECVE-2026-44239EXP
FreePBX: Authenticated Local File Inclusion in Dashboard Module
NONECVE-2026-40520
FreePBX api module Command Injection via GraphQL

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 29, 2026
Discovered by ZDM
May 29, 2026
Updated: description, severity, affectedVersions, activelyExploited
May 29, 2026
Actively Exploited
May 30, 2026

Version History

v2
Last enriched 49d ago
v2Tier C49d ago

Updated severity to CRITICAL, added affected versions 16.0.49 and 17.0.10, and noted that the vulnerability can be exploited remotely.

descriptionseverityaffectedVersionsactivelyExploited
via VulDB
v149d ago

Initial creation