CVE-2026-28287

CVE Database · CVE-2026-28287

CVE-2026-28287

· HIGHAnalyzed

CVSS v3.1

8.8

CVSS v4.0

8.6

EPSS

8.49%

Published

Mar 5, 2026

Modified

Mar 6, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

Affected Products (2)

sangoma · freepbx (up to 16.0.20)vulnerable

sangoma · freepbx (up to 17.0.5)vulnerable

References (1)

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9vv6-h8v6-rp4q

MitigationVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs