Deserialization in Freepbx Security-reporting

CVE-2026-26978

FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. D…

Vulnerability class: Insecure Deserialization

EPSS: 0.005 (65.3th percentile) — read the EPSS interpretation.

Affected products

Freepbx Security-reporting — versions < 16.0.71, >= 17.0.0, < 17.0.6

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_CONFIRM)