Description
FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
Published: 2026-05-29
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a logged‑in user of the FreePBX Dashboard module to supply a crafted request that results in the server including an arbitrary .class.php file from the filesystem. The included file is executed before the system attempts to instantiate the intended class, which can lead to arbitrary code execution or compromise of system confidentiality and integrity. The weakness is a classic path traversal flaw (CWE‑98).

Affected Systems

FreePBX versions preceding 16.0.22 and 17.0.5 are affected. The flaw resides in the Dashboard module’s getcontent AJAX handler and was fixed in the mentioned releases.

Risk and Exploitability

This is an authenticated local file inclusion; an attacker must be able to log into the system with a user that has access to the Dashboard module. Because the flaw permits inclusion of any .class.php file, malicious code could be executed on the server. The CVSS score of 7.6 indicates high severity. EPSS information is unavailable, and the flaw is not listed in CISA’s KEV catalog. The primary attack vector is an authenticated user exploiting the AJAX request; detection would require monitoring request patterns for unusual rawname parameters.

Generated by OpenCVE AI on May 29, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreePBX to version 16.0.22 or later (or 17.0.5 or later) to apply the vendor’s fix
  • If an upgrade is not immediately possible, disable the Dashboard module or restrict access to the getcontent AJAX endpoint so that only trusted roles can invoke it
  • Verify that file path sanitization is enforced and no untrusted input is concatenated into an include() call to prevent future LFI flaws

Generated by OpenCVE AI on May 29, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Freepbx
Freepbx security-reporting
Vendors & Products Freepbx
Freepbx security-reporting

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
Title FreePBX: Authenticated Local File Inclusion in Dashboard Module
Weaknesses CWE-98
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freepbx Security-reporting
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T03:57:41.817Z

Reserved: 2026-05-05T15:42:40.519Z

Link: CVE-2026-44239

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T14:16:27.363

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-44239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses