Description
FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
Published: 2026-05-29
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreePBX versions prior to 16.0.50 and 17.0.11 allow an authenticated user who has access to the CDR section of the Administration Control Panel to perform SQL injection via the order and sort POST parameters on the CDR Reports module. This vulnerability is a classic SQL injection (CWE‑89) that can be exploited to read, modify, or delete records in the underlying database, potentially exposing sensitive call details or compromising the integrity of the PBX data.

Affected Systems

All FreePBX installations running 16.x versions earlier than 16.0.50 or 17.x versions earlier than 17.0.11 are affected. The flaw exists in the CDR Reports module that is accessible to users with CDR section privileges; full administrator rights are not required.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The EPSS score is not available, making the current likelihood of exploitation unclear, but the vulnerability is listed as not part of the CISA KEV catalog. Attackers need only authenticate to a FreePBX account with CDR access; no additional privileges are required. Once authenticated, an attacker can craft malicious ORDER BY strings to manipulate SQL queries and potentially exfiltrate confidential data.

Generated by OpenCVE AI on May 29, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply FreePBX update to at least 16.0.50 or 17.0.11 to eliminate the vulnerable code.
  • If an immediate update is not possible, disable or restrict the sort and order parameters on the CDR Reports page for all non‑trusted users.
  • Ensure that only trusted administrators have access to the CDR section of the Control Panel and monitor database access logs for anomalous query patterns.

Generated by OpenCVE AI on May 29, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Freepbx
Freepbx security-reporting
Vendors & Products Freepbx
Freepbx security-reporting

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.
Title FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freepbx Security-reporting
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T03:57:40.671Z

Reserved: 2026-05-05T15:42:40.519Z

Link: CVE-2026-44238

cve-icon Vulnrichment

Updated: 2026-05-30T02:27:55.021Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T14:16:27.233

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses