Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4063 articles · 176698 vulns · 37/41 feeds (7d)
← Back to list
7.2
CVE-2026-40520PATCHED
freepbx · api

FreePBX api module Command Injection via GraphQL

Description

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

Affected Products

VendorProductVersions
freepbxapi0

References

  • https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6(patch)
  • https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3(related)
  • https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136(related)
  • https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql(third-party-advisory)

Related News (1 articles)

Tier C
VulDB87d ago
CVE-2026-40520 | FreePBX api up to 17.0.8 GraphQL initiateGqlAPIProcess os command injection
→ No new info (linked only)
CVSS 3.17.2 NONE
CISA KEV❌ No
Actively exploited❌ No
Patch available
5f194e39a47e5481e8947f9694304d32724175f6
CWECWE-78
PublishedApr 21, 2026
Last enriched87d agov2
Trending Score0
Source articles1
Independent1
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALPRE-CVE
Unauthenticated Remote Code Execution in FreePBX UCP via Socket.IO Namespace Auth Bypass and AMI Action Injection
Trending: 30
NONECVE-2026-44237
FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module
NONECVE-2026-26978EXP
Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php
NONECVE-2026-44239EXP
FreePBX: Authenticated Local File Inclusion in Dashboard Module
NONECVE-2026-44238EXP
FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 21, 2026
Discovered by ZDM
Apr 21, 2026
Updated: severity
Apr 21, 2026
Patch Available
Jul 14, 2026

Version History

v2
Last enriched 87d ago
v2Tier C87d ago

Updated severity to CRITICAL and corrected exploit availability to false.

severity
via VulDB
v187d ago

Initial creation