Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the PREFIX(prologTok)() function in FreeSWITCH's XML parsing library, which was cloned from an older, unpatched libexpat version. This function lacks the proper encoding or decoding safeguards, leading to a CWE‑116 weakness. The CVSS score of 5.3 indicates a moderate risk, and the missing patch could cause the application to misinterpret or mishandle XML input, potentially resulting in erroneous behavior or denial of service.

Affected Systems

SignalWire’s FreeSWITCH installations running any release earlier than 1.11.0 are affected. No specific revision numbers are listed, so all pre‑1.11.0 builds are considered vulnerable. The fixed release, 1.11.0, incorporates the necessary security changes to the expat XML tokenizer.

Risk and Exploitability

The exploitability remains uncertain; there is no EPSS data and the vulnerability is not listed in KEV. The likely attack vector is external input sent through XML‑RPC or similar interfaces that invoke the vulnerable tokenizer. An attacker could potentially craft malformed XML input that triggers improper decoding, leading to application instability or denial of service. The lack of detailed exploitation evidence suggests the risk is moderate but still warrants remediation.

Generated by OpenCVE AI on June 9, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeSWITCH to version 1.11.0 or later, which contains the necessary patch for the expat XML tokenizer.
  • If an immediate upgrade is not feasible, limit the exposure of XML‑RPC interfaces or implement strict input validation to ensure XML payloads are correctly encoded before processing.
  • Disable any unused XML parsing features or external interfaces that could invoke the vulnerable tokenizer.

Generated by OpenCVE AI on June 9, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalwire
Signalwire freeswitch
Vendors & Products Signalwire
Signalwire freeswitch

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
Title FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Signalwire Freeswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T15:59:49.383Z

Reserved: 2026-05-30T04:17:43.094Z

Link: CVE-2026-49472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:47.243

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-49472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:45:10Z

Weaknesses