Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4063 articles · 176698 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-44239EXPLOITEDPATCHED
freepbx · security-reporting

FreePBX: Authenticated Local File Inclusion in Dashboard Module

Description

FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.

Affected Products

VendorProductVersions
freepbxsecurity-reporting< 16.0.22, >= 17.0.1, < 17.0.5

References

  • https://github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v(x_refsource_CONFIRM)

Related News (1 articles)

Tier C
VulDB49d ago
CVE-2026-44239 | FreePBX up to 16.0.21/17.0.4 Dashboard class.php include rawname filename control (GHSA-hw7v-v2jp-wc4v)
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
16.0.22
CWECWE-98
PublishedMay 29, 2026
Last enriched49d agov2
Trending Score0
Source articles1
Independent1
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALPRE-CVE
Unauthenticated Remote Code Execution in FreePBX UCP via Socket.IO Namespace Auth Bypass and AMI Action Injection
Trending: 30
NONECVE-2026-44237
FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module
NONECVE-2026-26978EXP
Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php
NONECVE-2026-40520
FreePBX api module Command Injection via GraphQL
NONECVE-2026-44238EXP
FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 29, 2026
Discovered by ZDM
May 29, 2026
Updated: description, severity, activelyExploited, patchAvailable
May 29, 2026
Actively Exploited
Jun 1, 2026
Patch Available
Jun 1, 2026

Version History

v2
Last enriched 49d ago
v2Tier C49d ago

Updated severity to CRITICAL, added new description details, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploitedpatchAvailable
via VulDB
v149d ago

Initial creation