Path Traversal Vulnerability in FreePBX Dashboard Module by FreePBX
CVE-2026-44239

7.6HIGH

Key Information:

Vendor: Freepbx
Status: Security-reporting
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-44239?

The FreePBX Dashboard module contains a vulnerability that allows attackers to exploit the getcontent AJAX handler. By manipulating user-supplied input through the $_REQUEST['rawname'] parameter, an attacker can execute arbitrary PHP files from the filesystem. This is achieved using path traversal techniques, concatenating the input directly into an include() call without proper path sanitization. The issue has been resolved in versions 16.0.22 and 17.0.5, highlighting the importance of validating and sanitizing input to mitigate such security risks.

Affected Version(s)

security-reporting < 16.0.22 < 16.0.22

security-reporting >= 17.0.1, < 17.0.5 < 17.0.1, 17.0.5

References

https://github.com/FreePBX/security-reporting/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44239 Data

JSON

Freepbx

What is CVE-2026-44239?

Affected Version(s)

References

CVSS V4

Timeline