Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

FreePBX — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting FreePBX. AI-powered Chinese analysis, POCs, and references for each vulnerability.

FreePBX is an open-source web-based GUI that controls and manages Asterisk, an open-source telephony software suite. Primarily used by businesses and service providers to build IP-based communication systems, it simplifies complex PBX configuration through a user-friendly interface. Historically, the platform has been susceptible to critical vulnerability classes, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation flaws. These issues often stem from insufficient input validation or insecure default configurations within its modules. Notable incidents have included widespread exploitation of RCE vulnerabilities, allowing attackers to gain full system control and deploy ransomware. With 26 CVEs currently on record, the software’s security posture relies heavily on timely patching and strict access controls. Administrators must remain vigilant, as the breadth of its feature set introduces a larger attack surface compared to minimalistic telephony solutions.

Found 1 results / 27Clear Filters
Top products by FreePBX: security-reporting endpoint framework api endpointman arimanager cdr voicemail contactmanager core filestore restapps FreePBX tts
High2026-04-21
api/Api.class.php at 5f194e39a47e5481e8947f9694304d32724175f6 · FreePBX/api · GitHub
HighFREEI-28662026-04-21
FREEI-2805 fix:sanitize shell arguments in GraphQL moduleOperations · FreePBX/api@5f194e3 · GitHub
LowGHSA-gvgh-p7wj-76cf2026-02-13
Privilege Escalation Error in GraphQL Allows Authenticated Users to Access Additional Scopes · Advisory · FreePBX/securi
HighCVE-2025-590512025-10-15
Authenticated Command Injection in Network Scanning feature of Endpoint Manager · Advisory · FreePBX/security-reporting
HighCVE-2025-594292025-10-15
Reflected Cross-site Scripting in Asterisk HTTP Status page · Advisory · FreePBX/security-reporting · GitHub
HighCVE-2025-616782025-10-15
Authenticated Arbitrary File Upload in Endpoint Manager · Advisory · FreePBX/security-reporting · GitHub
HighCVE-2025-616752025-10-15
Authenticated SQL Injections in Endpoint Management · Advisory · FreePBX/security-reporting · GitHub
HighCVE-2025-557392025-09-05
Shared OAuth Signing Key Between Different Instances Installed Around the Same Time · Advisory · FreePBX/security-report
HighCVE-2025-552092025-09-05
Stored XSS in FreePBX UCP Contact Group Allows Automatic Execution of User Supplied Scripts During Subsequent Administra
CriticalCVE-2025-578192025-08-30
Authentication Bypass Leading to SQL Injection and RCE · Advisory · FreePBX/security-reporting · GitHub
MediumCVE-2024-470712024-10-02
OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with t

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with FreePBX. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.