Tag

Freepbx

4 briefs RSS

FreePBX Hardcoded Credentials Vulnerability (CVE-2026-46376)

A critical vulnerability, CVE-2026-46376, exists in FreePBX due to the use of hard-coded credentials in the User Control Panel (UCP) generic template setup process, allowing an unauthenticated, remote attacker to gain unauthorized access to user accounts and manipulate user settings if default template credentials are not immediately changed by the administrator after enabling UCP.

FreePBX cve voip credential-access

2r 1t 1c 2w ago

medium threat

FreePBX Security Advisories for Security-Reporting Module Vulnerabilities

2 rules 1 TTP

FreePBX released security advisories addressing authenticated SQL injection and local file inclusion vulnerabilities in the Security-Reporting cdr and dashboard modules for FreePBX 16 and 17.

Security-Reporting cdr +3 freepbx sql_injection lfi vulnerability

2r 1t May 20, 2026

critical advisory

FreePBX Security-Reporting userman Unauthenticated Hard-Coded Credentials Vulnerability

2 rules

FreePBX Security-Reporting userman versions 16.0.45 and prior (FreePBX 16) and 17.0.7 and prior (FreePBX 17) contain a critical vulnerability due to unauthenticated use of hard-coded credentials in the UCP interface, potentially allowing unauthorized access.

FreePBX Security-Reporting userman +1 freepbx hardcoded-credentials voip

2r May 15, 2026

high advisory

FreePBX API Module Command Injection Vulnerability (CVE-2026-40520)

2 rules 1 TTP 1 CVE

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function, allowing authenticated users to execute arbitrary commands via crafted GraphQL mutations.

command-injection freepbx graphql cve-2026-40520

2r 1t 1c Apr 21, 2026