CVE-2026-44239: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in FreePBX security-reporting
FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
AI Analysis
Technical Summary
FreePBX security-reporting versions before 16.0.22 and from 17.0.1 up to but not including 17.0.5 contain a CWE-98 vulnerability where the Dashboard module's getcontent AJAX handler uses the user-supplied 'rawname' parameter in an include() call without path sanitization. This allows attackers to perform path traversal using '../' sequences to include arbitrary PHP class files with a '.class.php' suffix from the filesystem. The included PHP code executes before a class instantiation error, enabling remote code execution. The issue is resolved in versions 16.0.22 and 17.0.5.
Potential Impact
Successful exploitation allows an attacker with low privileges and no user interaction to execute arbitrary PHP code on the affected system by including arbitrary files. This can lead to full compromise of the FreePBX server hosting the security-reporting module. The CVSS 4.0 score is 7.6 (high severity), reflecting network attack vector, low attack complexity, and high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in FreePBX security-reporting versions 16.0.22 and 17.0.5. Users should upgrade to these or later versions to remediate the issue. Since no official patch or temporary fix details are provided beyond version updates, upgrading is the recommended action. Patch status is confirmed fixed in these versions.
CVE-2026-44239: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in FreePBX security-reporting
Description
FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
CVSS v4.0
Score 7.6high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FreePBX security-reporting versions before 16.0.22 and from 17.0.1 up to but not including 17.0.5 contain a CWE-98 vulnerability where the Dashboard module's getcontent AJAX handler uses the user-supplied 'rawname' parameter in an include() call without path sanitization. This allows attackers to perform path traversal using '../' sequences to include arbitrary PHP class files with a '.class.php' suffix from the filesystem. The included PHP code executes before a class instantiation error, enabling remote code execution. The issue is resolved in versions 16.0.22 and 17.0.5.
Potential Impact
Successful exploitation allows an attacker with low privileges and no user interaction to execute arbitrary PHP code on the affected system by including arbitrary files. This can lead to full compromise of the FreePBX server hosting the security-reporting module. The CVSS 4.0 score is 7.6 (high severity), reflecting network attack vector, low attack complexity, and high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in FreePBX security-reporting versions 16.0.22 and 17.0.5. Users should upgrade to these or later versions to remediate the issue. Since no official patch or temporary fix details are provided beyond version updates, upgrading is the recommended action. Patch status is confirmed fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:42:40.519Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a199936e29bf47b50eaf3d8
Added to database: 5/29/2026, 1:48:38 PM
Last enriched: 5/29/2026, 2:05:49 PM
Last updated: 5/31/2026, 4:55:24 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.