CVE-2026-28210

HIGH WAF: High

CVSS 8.8 Published: 2026-03-05

CWE-89

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7.

WAF Coverage Analysis

SQL Injection High WAF Coverage

OWASP: A03:2021 Injection

942xxx - SQL Injection

Affected Software

Vendor	Product	Version
sangoma	freepbx	16.0 - 16.0.49
sangoma	freepbx	17.0 - 17.0.7

References

github.com (Mitigation, Vendor Advisory)

Back to CVE Database