SQL Injection Vulnerability in FreePBX CDR Reports Module
CVE-2026-44238

8.5HIGH

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-44238?

FreePBX, an open-source IP PBX software, is susceptible to SQL injection in the CDR Reports module before versions 16.0.50 and 17.0.11. Attackers with access to the FreePBX Administration Control Panel can exploit this vulnerability through crafted order and sort POST parameters. This type of attack does not require full administrative privileges but does require access to the CDR section. Ensure that your system is updated to protect against this security flaw, which has been addressed in later versions.

Affected Version(s)

security-reporting < 16.0.50 < 16.0.50

security-reporting >= 17.0.1, < 17.0.11 < 17.0.1, 17.0.11

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44238 Data

JSON

Freepbx

What is CVE-2026-44238?

Affected Version(s)

References

CVSS V4

Timeline