Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4063 articles · 176698 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-26978EXPLOITED
freepbx · freepbx

Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php

Description

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.

Affected Products

VendorProductVersions
freepbxfreepbx< 16.0.71, >= 17.0.0, < 17.0.6

References

  • https://github.com/FreePBX/security-reporting/security/advisories/GHSA-5v7h-49gr-jcwr(x_refsource_CONFIRM)
  • https://github.com/FreePBX/backup/commit/45c57e1207cbf9fd1c5f76f8a3e72d204a69a472(x_refsource_MISC)
  • https://github.com/FreePBX/backup/commit/64781af5c80cce0cff21a981be4d8e6a7a71f2c4(x_refsource_MISC)

Related News (1 articles)

Tier C
VulDB59d ago
CVE-2026-26978 | FreePBX up to 16.0.70/17.0.5 Backup unserialize deserialization (GHSA-5v7h-49gr-jcwr)
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-502
PublishedMay 18, 2026
Last enriched59d agov2
Trending Score0
Source articles1
Independent1
Info Completeness7/14
Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALPRE-CVE
Unauthenticated Remote Code Execution in FreePBX UCP via Socket.IO Namespace Auth Bypass and AMI Action Injection
Trending: 30
NONECVE-2026-44237
FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module
NONECVE-2026-44239EXP
FreePBX: Authenticated Local File Inclusion in Dashboard Module
NONECVE-2026-40520
FreePBX api module Command Injection via GraphQL
NONECVE-2026-44238EXP
FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 18, 2026
Discovered by ZDM
May 18, 2026
Updated: description, severity, affectedVersions, activelyExploited
May 18, 2026
Actively Exploited
May 20, 2026

Version History

v2
Last enriched 59d ago
v2Tier C59d ago

Updated severity to CRITICAL, added affected versions up to 16.0.70 and 17.0.5, and corrected exploit availability.

descriptionseverityaffectedVersionsactivelyExploited
via VulDB
v159d ago

Initial creation