CVE-2026-28284 HIGH

CVE-2026-28284: FreePBX: Authenticated SQL Injection Vulnerabilities in FreePBX Logfiles Module

Vendor Freepbx
Product security-reporting
Weakness CWE-89 · SQLi
Published March 5, 2026
Last update March 7, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 7, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-25212 video carousel slider with lightbox <= 1.0.6 - Authenticated (Admin+) SQL Injection CVE-2021-44161 Changing Information Technology Inc. MOTP(Mobile One Time Password) - SQL Injection CVE-2026-3151 itsourcecode College Management System login.php sql injection CVE-2026-33078 Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter CVE-2023-49633 Billing Software v1.0 - Multiple Unauthenticated SQL Injections (SQLi)