📄 Xorcom CompletePBX 5.2.35 Remote Code Execution

Xorcom CompletePBX suffers from an authenticated command injection vulnerability within the Task Scheduler subsystem. An attacker with valid superadmin credentials can create a scheduled task containing unsanitized parameters that get executed by the backend, resulting in remote command execution...

EUVD-2025-8860

Malicious code in bioql PyPI...

Metasploit Wrap-Up 07/25/2025

We want to hear from you! Over the next few weeks, we’ll continue to put out user surveys on X as well as Mastodon so you can respond to some of the questions that will help us understand what you want and need from Metasploit Framework! We will also have a survey on our website during DEF CON an...

Xorcom CompletePBX Authenticated Command Injection via Task Scheduler

This module exploits an authenticated command injection vulnerability in Xorcom CompletePBX versions use exploit/linux/http/xorcomcompletepbxscheduler msf exploitxorcomcompletepbxscheduler show targets ...targets... msf exploitxorcomcompletepbxscheduler set TARGET msf...

Xorcom CompletePBX Authenticated File Disclosure via Backup Download

This module exploits an authenticated file disclosure vulnerability in CompletePBX use auxiliary/scanner/http/xorcomcompletepbxfiledisclosure msf auxiliaryxorcomcompletepbxfiledisclosure show actions ...actions... msf auxiliaryxorcomcompletepbxfiledisclosure set ACTION msf...

📄 Xorcom CompletePBX Authenticated Command Injection Via Task Scheduler

This Metasploit module exploits an authenticated command injection vulnerability in Xorcom CompletePBX versions less than or equal to 5.2.35. The issue resides in the task scheduler functionality, where user-controlled input is improperly sanitized, allowing arbitrary command execution with web...

CVE-2025-30005

Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-30006

Xorcom CompletePBX is vulnerable to a reflected cross-site scripting XSS in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-2292

Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35...

CVE-2025-30004

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

EUVD-2025-8864

Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35...

EUVD-2025-8863

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

EUVD-2025-8862

Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-30006

Xorcom CompletePBX is vulnerable to a reflected cross-site scripting XSS in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-30006

Xorcom CompletePBX is vulnerable to a reflected cross-site scripting XSS in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-30005

Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-30004

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-30004

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35...

CVE-2025-2292

Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35...

CVE-2025-2292

Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35...