CVE-2026-44238: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in FreePBX security-reporting
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
AI Analysis
Technical Summary
FreePBX, an open source IP PBX system, contains an SQL injection vulnerability (CWE-89) in its security-reporting component, specifically in the CDR Reports module page. The flaw allows SQL injection through the order and sort POST parameters when accessed by an authenticated user with CDR section access. This vulnerability exists in versions prior to 16.0.50 and from 17.0.1 up to 17.0.11. Exploitation does not require full administrator privileges but does require authentication with a FreePBX Administration Control Panel account that has CDR access. The issue is resolved in versions 16.0.50 and 17.0.11.
Potential Impact
Successful exploitation of this vulnerability could allow an authenticated user with limited privileges (CDR section access) to perform SQL injection attacks, potentially leading to unauthorized data access or manipulation within the FreePBX system's database. The CVSS 4.0 score of 8.5 reflects a high severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in FreePBX versions 16.0.50 and 17.0.11. Users should upgrade to these or later versions to remediate the issue. Since the vendor advisory does not specify any temporary fixes or workarounds, upgrading is the recommended mitigation. Patch status is confirmed by the vendor's versioning information in the description.
CVE-2026-44238: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in FreePBX security-reporting
Description
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
CVSS v4.0
Score 8.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FreePBX, an open source IP PBX system, contains an SQL injection vulnerability (CWE-89) in its security-reporting component, specifically in the CDR Reports module page. The flaw allows SQL injection through the order and sort POST parameters when accessed by an authenticated user with CDR section access. This vulnerability exists in versions prior to 16.0.50 and from 17.0.1 up to 17.0.11. Exploitation does not require full administrator privileges but does require authentication with a FreePBX Administration Control Panel account that has CDR access. The issue is resolved in versions 16.0.50 and 17.0.11.
Potential Impact
Successful exploitation of this vulnerability could allow an authenticated user with limited privileges (CDR section access) to perform SQL injection attacks, potentially leading to unauthorized data access or manipulation within the FreePBX system's database. The CVSS 4.0 score of 8.5 reflects a high severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in FreePBX versions 16.0.50 and 17.0.11. Users should upgrade to these or later versions to remediate the issue. Since the vendor advisory does not specify any temporary fixes or workarounds, upgrading is the recommended mitigation. Patch status is confirmed by the vendor's versioning information in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:42:40.519Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a199936e29bf47b50eaf3d5
Added to database: 5/29/2026, 1:48:38 PM
Last enriched: 5/29/2026, 2:05:55 PM
Last updated: 5/31/2026, 4:58:29 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.