QwikSec

Security Database

CVE

CWE

Training

CVE-2026-44238

Published: May 29, 2026

Modified: May 30, 2026

PUBLISHED

Description

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11.

Vendor	Product	Versions
FreePBX	security-reporting	affected `< 16.0.50` affected `>= 17.0.1, < 17.0.11`

Weaknesses (CWE)

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.