By vendor
Sangoma vulnerabilities
Known CVEs affecting Sangoma products, prioritized by severity, with SEC.co remediation and detection guidance.
3 published vulnerabilities
- CVE-2026-44238HIGH 8.8
FreePBX versions before 16.0.50 and 17.0.11 contain a SQL injection vulnerability in the CDR (Call Detail Records) Reports module. An authenticated user with CDR section access can manipulate the 'order' and 'sort' parameters to inject arbitrary SQL commands, potentially reading, modifying, or deleting sensitive database content. Unlike many vulnerabilities requiring administrative accounts, this one only needs standard CDR access, broadening the pool of potential attackers within an organization.
- CVE-2026-44239HIGH 8.8
FreePBX, a widely deployed open-source phone system platform, contains a path traversal vulnerability in its Dashboard module that allows authenticated users to execute arbitrary PHP code. By manipulating a parameter in a web request, an attacker can bypass normal file access restrictions and cause the system to load and execute specially-named PHP files from unexpected locations on the server. This is a serious issue because it grants code execution to any user with valid login credentials.
- CVE-2026-44237HIGH 8.1
FreePBX versions before 17.0.8 contain a flaw in their OAuth2 implementation that allows an attacker to bypass credential verification. If an attacker discovers or guesses a valid client application ID, they can request OAuth2 access tokens without needing the corresponding secret passphrase. This grants them the ability to authenticate and interact with the FreePBX API as if they were a legitimate application, potentially enabling unauthorized access to voice, data, and configuration controls.