SQL Injection Vulnerability in Sangoma Switchvox SMB Edition
CVE-2026-9586

9.3CRITICAL

Key Information:

Vendor

Sangoma

Vendor
CVE Published:
17 July 2026

What is CVE-2026-9586?

An unauthenticated SQL injection vulnerability has been identified in Sangoma Switchvox SMB Edition 8.3. The vulnerability resides in the /pa endpoint, which processes XML content starting with . This endpoint improperly concatenates the user-controlled PhoneIP value into PostgreSQL queries without adequate sanitization or parameterization. As a result, an unauthenticated remote attacker can exploit this weakness to execute arbitrary SQL statements against the backend PostgreSQL database, potentially enabling database manipulation and remote code execution.

Affected Version(s)

Switchvox SMB Edition 8.3 (104997) < 8.4.0.2

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cam Lischke (SRA)
.