Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the PREFIX(prologTok)() function in FreeSWITCH's XML parsing library, which was cloned from an older, unpatched libexpat version. This function lacks the proper encoding or decoding safeguards, leading to a CWE‑116 weakness. The CVSS score of 5.3 indicates a moderate risk, and the missing patch could cause the application to misinterpret or mishandle XML input, potentially resulting in erroneous behavior or denial of service.

Affected Systems

SignalWire’s FreeSWITCH installations running any release earlier than 1.11.0 are affected. No specific revision numbers are listed, so all pre‑1.11.0 builds are considered vulnerable. The fixed release, 1.11.0, incorporates the necessary security changes to the expat XML tokenizer.

Risk and Exploitability

The exploitability remains uncertain; there is no EPSS data and the vulnerability is not listed in KEV. The likely attack vector is external input sent through XML‑RPC or similar interfaces that invoke the vulnerable tokenizer. An attacker could potentially craft malformed XML input that triggers improper decoding, leading to application instability or denial of service. The lack of detailed exploitation evidence suggests the risk is moderate but still warrants remediation.

Generated by OpenCVE AI on June 9, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeSWITCH to version 1.11.0 or later, which contains the necessary patch for the expat XML tokenizer.
  • If an immediate upgrade is not feasible, limit the exposure of XML‑RPC interfaces or implement strict input validation to ensure XML payloads are correctly encoded before processing.
  • Disable any unused XML parsing features or external interfaces that could invoke the vulnerable tokenizer.

Generated by OpenCVE AI on June 9, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Freeswitch
Freeswitch freeswitch
CPEs cpe:2.3:a:freeswitch:freeswitch:*:*:*:*:*:*:*:*
Vendors & Products Freeswitch
Freeswitch freeswitch

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalwire
Signalwire freeswitch
Vendors & Products Signalwire
Signalwire freeswitch

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
Title FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Freeswitch Freeswitch
Signalwire Freeswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T13:45:21.533Z

Reserved: 2026-05-30T04:17:43.094Z

Link: CVE-2026-49472

cve-icon Vulnrichment

Updated: 2026-06-10T13:45:15.563Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:47.243

Modified: 2026-06-10T15:06:00.993

Link: CVE-2026-49472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:45:10Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output