What is CVE-2026-46376?

CVE-2026-46376 is a critical-severity vulnerability in Freepbx Security-reporting, classified under Use of Hard-coded Credentials. CVSS score: 9.8/10. Published 2026-05-29.

How severe is CVE-2026-46376?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2026-46376 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Freepbx Security-reporting

CVE-2026-46376

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by th…

EPSS: 0.001 (24.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Freepbx Security-reporting — versions >= 15.0.42, < 16.0.45, >= 17.0.1, < 17.0.7
Sangoma Freepbx

Weakness classification (CWE)

CWE-798 — Use of Hard-coded Credentials

Public proof-of-concept exploits

portbuster1337/CVE-2026-46376

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-46376?: CVE-2026-46376 is a critical-severity vulnerability in Freepbx Security-reporting, classified under Use of Hard-coded Credentials. CVSS score: 9.8/10. Published 2026-05-29.
How severe is CVE-2026-46376?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2026-46376 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.