Every CVE whose affected-product data names Sangoma Freepbx, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (40)
CVE-2014-7235 — CVSS 10.0 (critical): htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11…
CVE-2026-46376 — CVSS 9.8 (critical): FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control…
CVE-2025-66039 — CVSS 9.8 (critical): FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass…
CVE-2026-44238 — CVSS 8.8 (high): FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort…
CVE-2024-58294 — CVSS 8.8 (high): FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session…
CVE-2023-43336 — CVSS 8.8 (high): Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a…
CVE-2026-28287 — CVSS 8.8 (high): FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command…
CVE-2026-28284 — CVSS 8.8 (high): FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL…
CVE-2026-28210 — CVSS 8.8 (high): FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query…
CVE-2025-55211 — CVSS 8.8 (high): FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator…
CVE-2026-44239 — CVSS 8.8 (high): FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on…
CVE-2026-44237 — CVSS 8.1 (high): FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client…
CVE-2025-67722 — CVSS 7.8 (high): FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the…
CVE-2025-59056 — CVSS 7.5 (high): FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control…
CVE-2012-4869 — CVSS 7.5 (high): The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute…
CVE-2014-1903 — CVSS 7.5 (high): admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before…
CVE-2025-55210 — CVSS 7.5 (high): FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api…
CVE-2026-28209 — CVSS 7.2 (high): FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection…
CVE-2019-19538 — CVSS 7.2 (high): In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution…
CVE-2018-6393 — CVSS 7.2 (high): FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the…
CVE-2025-67736 — CVSS 7.2 (high): The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk…
CVE-2009-1802 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow…
CVE-2010-3490 — CVSS 6.5 (medium): Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0…
CVE-2019-16967 — CVSS 6.1 (medium): An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x before 15.0.6 before FreePBX 14.0.10.3. In the Manager module form…
CVE-2019-16966 — CVSS 6.1 (medium): An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In…
CVE-2020-36630 — CVSS 5.5 (medium): A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file…
CVE-2025-59429 — CVSS 5.4 (medium): FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for…
CVE-2009-1803 — CVSS 5.0 (medium): FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, generates different error messages for a failed login attempt…
CVE-2019-19551 — CVSS 4.8 (medium): In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An…
CVE-2018-15891 — CVSS 4.8 (medium): An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules…
CVE-2019-19852 — CVSS 4.8 (medium): An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel…
CVE-2019-19851 — CVSS 4.8 (medium): An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at…
CVE-2019-19615 — CVSS 4.8 (medium): Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at…
CVE-2019-19552 — CVSS 4.8 (medium): In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e…
CVE-2009-1801 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, allow remote…
CVE-2012-4870 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and earlier allow remote attackers to inject arbitrary web script or…
CVE-2019-25090 — CVSS 3.5 (low): A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. Affected by this issue is some unknown…
CVE-2024-53564 — CVSS 2.2 (low): A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing…