SQL Injection Vulnerability in Sangoma Switchvox SMB Edition
CVE-2026-9586
9.3CRITICAL
What is CVE-2026-9586?
An unauthenticated SQL injection vulnerability has been identified in Sangoma Switchvox SMB Edition 8.3. The vulnerability resides in the /pa endpoint, which processes XML content starting with . This endpoint improperly concatenates the user-controlled PhoneIP value into PostgreSQL queries without adequate sanitization or parameterization. As a result, an unauthenticated remote attacker can exploit this weakness to execute arbitrary SQL statements against the backend PostgreSQL database, potentially enabling database manipulation and remote code execution.
Affected Version(s)
Switchvox SMB Edition 8.3 (104997) < 8.4.0.2
