CVE-2026-45771

Name of the Vulnerable Software and Affected Versions FreeSWITCH versions prior to 1.11.0

Description The bundled XML parser in FreeSWITCH expands nested <!ENTITY> declarations without a depth or count bound. This allows a small Document Type Definition (DTD) to describe a body that expands exponentially, a technique known as a billion laughs attack. An unauthenticated network attacker can exploit this by sending a SIP PUBLISH request with a malicious PIDF body, which is processed by the parser before any digest check, leading to unbounded CPU and memory consumption.

Recommendations Update to version 1.11.0.