PT-2026-44843 · Freepbx · Freepbx
Mil1200
·
Published
2026-05-29
·
Updated
2026-05-30
·
CVE-2026-44238
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FreePBX versions prior to 16.0.50
FreePBX versions prior to 17.0.11
Description
The CDR Reports module page allows SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution. This issue occurs through the
order and sort POST parameters. Exploitation requires authentication with a FreePBX Administration Control Panel account that has access to the CDR section, although full administrator privileges are not necessary.Recommendations
Update to version 16.0.50.
Update to version 17.0.11.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freepbx