cbcvebase.

Freepbx Api vulnerabilities

3 known vulnerabilities affecting freepbx/api.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-40520P2HIGHCVSS 8.8fixed in 17.0.8≤ 17.0.82026-04-21
CVE-2026-40520 [HIGH] CWE-78 CVE-2026-40520: FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiat FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped command
nvd
CVE-2025-55210P3HIGHCVSS 7.5v>= 15.0.1alpha1, < 16.0.17v>= 17.0.0, < 17.0.52026-02-12
CVE-2025-55210 [HIGH] CWE-270 CVE-2025-55210: FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 1 FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a Free
nvd
CVE-2025-55739P3MEDIUMCVSS 5.1fixed in 15.0.13v>= 16.0.2, < 16.0.15+1 more2025-09-05
CVE-2025-55739 [MEDIUM] CWE-522 CVE-2025-55739: api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private ke
nvd
Freepbx Api vulnerabilities | cvebase