Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

FreePBX — Vulnerabilities & Security Advisories 26

Browse all 26 CVE security advisories affecting FreePBX. AI-powered Chinese analysis, POCs, and references for each vulnerability.

FreePBX is an open-source web-based GUI that controls and manages Asterisk, an open-source telephony software suite. Primarily used by businesses and service providers to build IP-based communication systems, it simplifies complex PBX configuration through a user-friendly interface. Historically, the platform has been susceptible to critical vulnerability classes, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation flaws. These issues often stem from insufficient input validation or insecure default configurations within its modules. Notable incidents have included widespread exploitation of RCE vulnerabilities, allowing attackers to gain full system control and deploy ransomware. With 26 CVEs currently on record, the software’s security posture relies heavily on timely patching and strict access controls. Administrators must remain vigilant, as the breadth of its feature set introduces a larger attack surface compared to minimalistic telephony solutions.

Top products by FreePBX: endpoint framework security-reporting api endpointman arimanager cdr voicemail contactmanager core filestore restapps FreePBX tts
CVE IDTitleCVSSSeverityPublished
CVE-2026-40520 FreePBX api module Command Injection via GraphQL — apiCWE-78 7.2 High2026-04-21
CVE-2026-28287 FreePBX: Authenticated Remote Code Execution via Recordings Module AJAX Endpoints — security-reportingCWE-78 8.8 -2026-03-05
CVE-2026-28284 FreePBX: Authenticated SQL Injection Vulnerabilities in FreePBX Logfiles Module — security-reportingCWE-89 8.8 -2026-03-05
CVE-2026-28210 FreePBX: Authenticated SQL Injection in CDR (Call Data Record) Reports — security-reportingCWE-89 8.8 -2026-03-05
CVE-2026-28209 FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration — security-reportingCWE-78 8.8 -2026-03-05
CVE-2025-55210 FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes — apiCWE-270 8.8AIHighAI2026-02-12
CVE-2025-67736 Authenticated SQL Injection in FreePBX tts (Text To Speech) module — ttsCWE-89 7.2AIHighAI2025-12-16
CVE-2025-67722 Authenticated amportal search for ‘freepbx_engine’ in non root writeable directories leads to potential privilege escalation — frameworkCWE-426 7.8AIHighAI2025-12-16
CVE-2024-58294 FreePBX 16 Authenticated Remote Code Execution via API Module — FreePBXCWE-78 8.8AIHighAI2025-12-11
CVE-2025-67513 FreePBX Endpoint Manager's Weak Default Password Allows Unauthenticated Access in Endpoint Module REST API — endpointCWE-521 9.8AICriticalAI2025-12-10
CVE-2025-66039 FreePBX Endpoint Manager Allows Unauthenticated Logins to Administrator Control Panel via Forged Basic Auth Header — frameworkCWE-287 7.4AIHighAI2025-12-09
CVE-2025-62173 Authenticated SQL Injection in Endpoint Module Rest API — restappsCWE-89 8.8AIHighAI2025-12-03
CVE-2025-64328 FreePBX Administration GUI is Vulnerable to Authenticated Command Injection — filestoreCWE-78 8.3 -2025-11-07
CVE-2025-61678 FreePBX Endpoint Manager vulnerable to authenticated arbitrary file upload via fwbrand parameter — endpointmanCWE-434 8.8AIHighAI2025-10-14
CVE-2025-61675 FreePBX Endpoint Manager vulnerable to authenticated SQL injection in multiple configuration parameters — endpointCWE-89 8.1AIHighAI2025-10-14
CVE-2025-59429 FreePBX core module vulnerable to reflected cross-site scripting via Asterisk HTTP Status page — coreCWE-79 6.1AIMediumAI2025-10-14
CVE-2025-59051 FreePBX Endpoint Manager command injection via Network Scanning feature — endpointCWE-78 8.8AIHighAI2025-10-14
CVE-2025-59056 FreePBX vulnerable to unauthenticated Denial of Service — frameworkCWE-22 3.8AILowAI2025-09-15
CVE-2025-55211 FreePBX Post-Authenticated Command Injection — frameworkCWE-78 7.2AIHighAI2025-09-15
CVE-2025-55739 api: Shared OAuth Signing Key Between Different Instances — apiCWE-798 9.8AICriticalAI2025-09-04
CVE-2025-55209 FreePBX UCP is Vulnerable to Stored XSS Through its User Control Panel — contactmanagerCWE-79 8.2AIHighAI2025-09-04
CVE-2025-57819 FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE — endpointCWE-89 9.8AICriticalAI2025-08-28
CVE-2024-47071 OSS Endpoint Manager allows unauthorized access to read system files — endpointmanCWE-22 6.8 Medium2024-10-01
CVE-2019-25090 FreePBX arimanager Views cross site scripting — arimanagerCWE-79 3.5 Low2022-12-27
CVE-2021-4282 FreePBX voicemail page.voicemail.php cross site scripting — voicemailCWE-79 3.5 Low2022-12-27
CVE-2020-36630 FreePBX cdr Cdr.class.php ajaxHandler sql injection — cdrCWE-89 5.5 Medium2022-12-25

This page lists every published CVE security advisory associated with FreePBX. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.