SQL Injection in Freepbx Security-reporting
CVE-2026-28284
FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.
Vulnerability class: SQL Injection
EPSS: 0.000 (12.9th percentile) — read the EPSS interpretation.
Affected products
- Freepbx Security-reporting — versions < 16.0.10, < 17.0.5
Weakness classification (CWE)
References
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-4887-4jwp-327g (x_refsource_CONFIRM)