CVE-2026-44238 | FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.… | CVSS 8.5 HIGH

Description

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.

Metadata

CVE ID: CVE-2026-44238
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-05 15:42 UTC
Published: 2026-05-29 12:44 UTC
Last updated: 2026-05-30 03:57 UTC
Primary CWE: CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product: FreePBX / security-reporting
Sources: cve.org · NVD

Severity & Metrics

8.5 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
FreePBX	security-reporting	—	< 16.0.50, >= 17.0.1, < 17.0.11

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.5	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x