CVE-2026-28210

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr Call Data Record is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7...

CVE-2025-67722

FreePBX is an open-source web-based graphical user interface GUI that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script amportal. In the deprecated amportal utility, the...

CVE-2025-67722 Authenticated amportal search for ‘freepbx_engine’ in non root writeable directories leads to potential privilege escalation

FreePBX is an open-source web-based graphical user interface GUI that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script amportal. In the deprecated amportal utility, the...

EUVD-2009-4425

Malware in sbrugna...

CVE-2025-59056

FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where mo...

FreePBX 路径遍历漏洞

FreePBX formerly known as Asterisk Management Portal is a suite of tools from the FreePBX project for configuring Asterisk an IP telephony system via a GUI web-based graphical interface. A path traversal vulnerability exists in FreePBX versions 15, 16, and 17, which stems from a malicious...

FreeBPX < 16.0.89 Authentication Bypass

According to its self-reported version number, the FreePBOX application running on the remote host is prior to 15.0.66 or 16.x prior to 16.0.89 or 17.x prior to 17.0.3. It is, therefore, affected by an insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX...

CVE-2025-57819 FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issu...

CVE-2025-57819

FreePBX CVE-2025-57819 is an unauthenticated SQL injection leading to remote code execution in FreePBX 15.x, 16.x, and 17.x. Reports and PoCs describe exploitation via vulnerable endpoints (notably /admin/ajax.php and userman-related paths) enabling arbitrary database manipulation and RCE. Root c...

CVE-2019-16966

An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class html\admin\modules\contactmanager\Contactmanager.class.php, an unsanitized group variable coming from the URL is reflected in HTML o...

PT-2012-5621 · Sangoma · Freepbx

Name of the Vulnerable Software and Affected Versions: FreePBX versions 2.9 and earlier Description: The issue allows remote attackers to execute arbitrary commands. This is achieved through the callmenum parameter in a 'c' action, specifically targeting the callme startcall function in...