CVE-2026-44239
8.8 HIGHFreePBX is an open source IP PBX
Published: 2026-05-29 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-98
Affected products
| Vendor | Product |
|---|---|
| sangoma | freepbx |
Description
FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-46376 — FreePBX is an open source IP PBX (9.8 CRITICAL)
- CVE-2026-44238 — FreePBX is an open source IP PBX (8.8 HIGH)
- CVE-2026-44237 — FreePBX is an open source IP PBX (8.1 HIGH)
Same CWE
- CVE-2016-20064 — WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploitin... (6.2 MEDIUM)
- CVE-2026-9662 — The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3 (8.1 HIGH)
- CVE-2026-39553 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Wa... (8.1 HIGH)
- CVE-2026-39552 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co (8.1 HIGH)
- CVE-2025-69369 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racq... (8.1 HIGH)