RCE in Freepbx Security-reporting
CVE-2026-28209
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the record…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.002 (36.4th percentile) — read the EPSS interpretation.
Affected products
- Freepbx Security-reporting — versions >= 16.0.17.2, < 16.0.20, >= 17.0.2.4, < 17.0.5
Weakness classification (CWE)
References
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj (x_refsource_CONFIRM)