threat
engine
.sh
Back
·
··:··
Home
/
Product
/
sangoma freepbx
Product
sangoma freepbx
43 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-40520
< 17.0.8
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function wher
7.2
HIGH
CVE-2026-28287
>= 16.0.17.2 and < 16.0.20
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple c
8.8
HIGH
CVE-2026-28284
>= 16.0 and < 16.0.10
FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated
8.8
HIGH
CVE-2026-28210
>= 16.0 and < 16.0.49
FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL
8.8
HIGH
CVE-2026-28209
>= 16.0.17.2 and < 16.0.20
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command
7.2
HIGH
CVE-2025-55210
>= 16.0.2 and < 16.0.17
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX mod
7.5
HIGH
CVE-2025-67736
>= 16.0 and < 16.0.5
The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk
7.2
HIGH
CVE-2025-67722
>= 16.0 and < 16.0.45
FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of
7.8
HIGH
CVE-2024-58294
all versions
FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid sessio
8.8
HIGH
CVE-2025-66039
< 16.0.44
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authenticatio
9.8
CRITICAL
CVE-2025-59429
< 16.0.68.39
FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.
5.4
MEDIUM
CVE-2025-59056
>= 15.0 and < 15.0.38
FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrato
7.5
HIGH
CVE-2025-55211
>= 17.0.19.11 and < 17.0.21
FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Admini
8.8
HIGH
CVE-2025-57819
>= 15.0 and < 15.0.66
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficientl
9.8
CRITICAL
CVE-2024-53564
all versions
A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowi
2.2
LOW
CVE-2023-43336
< 15.0.16
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue v
8.8
HIGH
CVE-2019-25090
< 13.0.5.4
A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unkno
3.5
LOW
CVE-2020-36630
>= 14.0 and < 14.0.5.21
A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the fi
5.5
MEDIUM
CVE-2019-19852
>= 13.0 and <= 13.0.26.9
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in
4.8
MEDIUM
CVE-2019-19615
>= 14.0.10.2 and <= 14.0.10.7
Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/
4.8
MEDIUM
CVE-2019-19538
< 13.0.92
In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution
7.2
HIGH
CVE-2019-19851
<= 13.0.4.7
An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta mo
4.8
MEDIUM
CVE-2019-19552
>= 13.0 and <= 13.0.76.43
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site,
4.8
MEDIUM
CVE-2019-19551
>= 13.0 and <= 13.0.76.43
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site.
4.8
MEDIUM
CVE-2019-19006
>= 13.0.0.0 and <= 13.0.197.13
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
9.8
CRITICAL
CVE-2019-16967
< 14.0.10.3
An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module for
6.1
MEDIUM
CVE-2019-16966
all versions
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0
6.1
MEDIUM
CVE-2018-15892
< 13.0.6.2
FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form pag
4.3
MEDIUM
CVE-2018-15891
< 13.0.122.43
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk m
4.8
MEDIUM
CVE-2018-6393
all versions
FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE
7.2
HIGH
CVE-2014-7235
<= 2.9.0.8
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, an
CVE-2014-1903
all versions
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.
CVE-2012-4870
<= 2.9
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web scri
CVE-2012-4869
<= 2.10
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to exec
CVE-2010-3490
<= 2.8.0
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in Free
CVE-2009-4458
all versions
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 and 2.6.0rc2, and possibly other versions, allow remote attac
CVE-2009-1803
all versions
FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attem
CVE-2009-1802
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x version
CVE-2009-1801
all versions
Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allo
CVE-2007-2350
<= 2.2.1
admin/config.php in the music-on-hold module in freePBX 2.2.x allows remote authenticated administrators to execute arbitrary comm
CVE-2007-2191
all versions
Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to inject arbitrary web script or HTML
CVE-2006-7107
all versions
PHP remote file inclusion vulnerability in upgrade.php in Coalescent Systems freePBX 2.1.3 allows remote attackers to execute arbi
CVE-2006-6244
<= 2.1.3
Coalescent Systems freePBX (formerly Asterisk Management Portal) before 2.2.0rc1 allows attackers to execute arbitrary commands vi
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin