CVE-2025-59056
HIGHFreePBX 15.0-15.0.37 - Path Traversal via Module Uninstall Function
Title source: llmDescription
FreePBX is an open-source web-based graphical user interface. In FreePBX 15, 16, and 17, malicious connections to the Administrator Control Panel web interface can cause the uninstall function to be triggered for certain modules. This function drops the module's database tables, which is where most modules store their configuration. This vulnerability is fixed in 15.0.38, 16.0.41, and 17.0.21.
References (2)
Core 2
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/FreePBX/security-reporting/security/advisories/GHSA-frc2-jhgg-rwpr
Product x_refsource_misc
https://github.com/FreePBX/framework/blame/release/17.0/amp_conf/htdocs/admin/ajax.php#L18
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
34.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
sangoma/freepbx
15.0 - 15.0.38
Published
Sep 15, 2025
Tracked Since
Feb 18, 2026