HIGHCVE-2026-28210Published 2026-03-05Modified 2026-03-07CNA GitHub_M

CVE-2026-28210: FreePBX: Authenticated SQL Injection in CDR (Call Data Record) Reports

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

FreePBX / security-reporting
< 16.0.49 · < 17.0.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-59gp-632h-c54v

Metrics