Browse all 26 CVE security advisories affecting FreePBX. AI-powered Chinese analysis, POCs, and references for each vulnerability.
FreePBX is an open-source web-based GUI that controls and manages Asterisk, an open-source telephony software suite. Primarily used by businesses and service providers to build IP-based communication systems, it simplifies complex PBX configuration through a user-friendly interface. Historically, the platform has been susceptible to critical vulnerability classes, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation flaws. These issues often stem from insufficient input validation or insecure default configurations within its modules. Notable incidents have included widespread exploitation of RCE vulnerabilities, allowing attackers to gain full system control and deploy ransomware. With 26 CVEs currently on record, the software’s security posture relies heavily on timely patching and strict access controls. Administrators must remain vigilant, as the breadth of its feature set introduces a larger attack surface compared to minimalistic telephony solutions.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40520 | FreePBX api module Command Injection via GraphQL — apiCWE-78 | 7.2 | High | 2026-04-21 |
| CVE-2025-55210 | FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes — apiCWE-270 | 8.8AI | HighAI | 2026-02-12 |
| CVE-2025-55739 | api: Shared OAuth Signing Key Between Different Instances — apiCWE-798 | 9.8AI | CriticalAI | 2025-09-04 |
This page lists every published CVE security advisory associated with FreePBX. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.