CVE-2026-49472 MEDIUM

CVE-2026-49472: FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat

Vendor Signalwire
Product freeswitch
Weakness CWE-116
Published June 9, 2026
Last update June 10, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 10, 2026 Record updated