SQL Injection in Sangoma Switchvox Smb Edition
CVE-2026-9586
An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with <PolycomIPPhone> and directly concatenates the user-controlled PhoneIP value into Po…
Vulnerability class: SQL Injection
Affected products
- Sangoma Switchvox Smb Edition — versions 8.3 (104997)
Weakness classification (CWE)
References
- 57dba5dd-1a03-47f6-8b36-e84e47d335d8 (release-notes)
- 57dba5dd-1a03-47f6-8b36-e84e47d335d8 (third-party-advisory)