PT-2026-23492 · Freepbx · Freepbx

H00Die-Gr3Y

Published

2026-03-05

Updated

2026-03-17

CVE-2026-28287

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FreePBX versions 16.0.17.2 through 16.0.19 FreePBX versions 17.0.2.4 through 17.0.4

Description FreePBX is an open source IP PBX. Multiple command injection vulnerabilities exist in the recordings module. These issues have been addressed in later releases. The vulnerabilities allow for potential unauthorized command execution. The affected module is the recordings module.

Recommendations Update to FreePBX version 16.0.20 or later. Update to FreePBX version 17.0.5 or later.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-28287

GHSA-9VV6-H8V6-RP4Q

Affected Products

Freepbx

PT-2026-23492 · Freepbx · Freepbx

CVE-2026-28287

Weakness Enumeration

Related Identifiers

Affected Products

References · 9