FreePBX CDR Reports Authenticated SQL Injection in ORDER BY (CVE-2026-4428)

Vulnerability Overview Vulnerability Name: Authenticated SQL Injection via ORDER BY in CDR Reports Vulnerability Description: This vulnerability exists in the CDR Reports module of FreePBX, allowing SQL injection through the and POST parameters. An attacker can leverage this vulnerability to directly access view data within the database. Affected Versions Affected Versions: - cdr (FreePBX 16): < 16.0.50 - cdr (FreePBX 17): < 17.0.11 Fixed Versions: - cdr (FreePBX 16): 16.0.50 - cdr (FreePBX 17): 17.0.11 Severity: 8.5 / 10 (High) Remediation 1. Update Module: Update the module to the latest version. 2. Access Control: Ensure that only authorized users can access the FreePBX Administrator Control Panel, for example, by using the FreePBX User Manager, SysAdmin VPN, MFA, or SAML modules. 3. Network Isolation: Block access to the ACP from the host network, for example, via the FreePBX Firewall module. Scoring CVSS 4.0 Base Vector String: CVSS 4.0 Base Threat Environment Supplemental Vector String: CVSS-B v4.0 score: 8.5 (High) Current CVSS-BTES v4.0 score: 4.8 (Medium) Alternative CVSS-BTES v4.1 score: 0.7 (Low) History The vulnerability's GHSA identifier is . A similar issue involving the parameter in the same file was previously addressed, but or sort direction was not included in that fix. This issue is receiving the Amber Provider Urgency CVSS Supplemental Metric, as the vulnerability has existed since before 2011. Additional Information CVE ID: CVE-2026-4428 CWE ID: CWE-89 Credits: - Reporter: mil200 - Coordinator: chramsj - Remediation Developer: Sangoma-Heera Links FreePBX Blog GitHub Issue

Goal Reached Thanks to every supporter — we hit 100%!

FreePBX CDR Reports Authenticated SQL Injection in ORDER BY (CVE-2026-4428)

More from this source