CVE-2026-44239

HIGH

FreePBX: Authenticated Local File Inclusion in Dashboard Module

Title source: cna

Description

FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v

Scores

CVSS v3 8.8

EPSS 0.0027

EPSS Percentile 18.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-98

Status published

Products (3)

FreePBX/security-reporting < 16.0.22

FreePBX/security-reporting >= 17.0.1, < 17.0.5

sangoma/freepbx < 16.0.22

Published May 29, 2026

Tracked Since May 29, 2026