signalwire Cyber Security Vulnerability Stats and Metrics

FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`

CVE-2026-49848

SignalwireFreeswitch4.3MEDIUM

FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON

CVE-2026-49847

SignalwireFreeswitch7.5HIGH

FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`

CVE-2026-49843

SignalwireFreeswitch5.3MEDIUM

FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames

CVE-2026-49842

SignalwireFreeswitch7.5HIGH

FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read

CVE-2026-49841

SignalwireFreeswitch9.8CRITICAL

FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing

CVE-2026-49840

SignalwireFreeswitch9.1CRITICAL

FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing

CVE-2026-49475

SignalwireFreeswitch7.5HIGH

FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat

CVE-2026-49472

SignalwireFreeswitch5.3MEDIUM

Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion

CVE-2026-45771

SignalwireFreeswitch7.5HIGH

FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

CVE-2023-51443

SignalwireFreeswitch7.5HIGH

FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID

CVE-2023-40018

signalwirefreeswitch7.5HIGH

FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names

CVE-2023-40019

signalwirefreeswitch6.5MEDIUM

FreeSWITCH vulnerable to SIP digest leak for configured gateways

CVE-2021-41158

SignalwireFreeswitch5.8MEDIUM

FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default

CVE-2021-41157

SignalwireFreeswitch5.3MEDIUM

FreeSWITCH susceptible to Denial of Service via invalid SRTP packets

CVE-2021-41105

SignalwireFreeswitch7.5HIGH

FreeSWITCH susceptible to Denial of Service via SIP flooding

CVE-2021-41145

SignalwireFreeswitch8.6HIGH

FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing

CVE-2021-37624

SignalwireFreeswitch👾🟡7.5HIGH

Information Disclosure Vulnerability in SignalWire FreeSWITCH Software

CVE-2021-36513

SignalwireFreeswitch7.5HIGH

signalwire Summary

Vulnerability Published:

Sort By:

9 June 2026

FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`

FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON

FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`

FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames

FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read

FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing

FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing

FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat

Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion

27 December 2023

FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

15 September 2023

FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID

FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names

26 October 2021

FreeSWITCH vulnerable to SIP digest leak for configured gateways

FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default

25 October 2021

FreeSWITCH susceptible to Denial of Service via invalid SRTP packets

FreeSWITCH susceptible to Denial of Service via SIP flooding

FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing

18 October 2021

Information Disclosure Vulnerability in SignalWire FreeSWITCH Software