Command Injection Vulnerabilities in FreePBX IP PBX System
CVE-2026-28287
What is CVE-2026-28287?
FreePBX, an open source IP PBX solution, has been found to have multiple command injection vulnerabilities within its recordings module. These vulnerabilities impact versions 16.0.17.2 up to, but not including, 16.0.20 and versions 17.0.2.4 up to, but not including, 17.0.5. Users of affected versions are at risk of unauthorized command execution, potentially allowing attackers to manipulate the system. It is crucial for users to update to versions 16.0.20 and 17.0.5, where these issues have been addressed. For detailed information, please refer to the advisory linked here: FreePBX Security Advisory.
Affected Version(s)
security-reporting >= 16.0.17.2, < 16.0.20 < 16.0.17.2, 16.0.20
security-reporting >= 17.0.2.4, < 17.0.5 < 17.0.2.4, 17.0.5
References
EPSS Score
8% chance of being exploited in the next 30 days.
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
