Serial number: AV26-711
Date: July 17, 2026
On July 17, 2026, FreePBX published security advisories to address vulnerabilities in the following products. Included were critical updates for the following:
- FreePBX Security-Reporting ucp (FreePBX 17) – versions prior to 17.0.9
- FreePBX Security-Reporting missedcall (FreePBX 16) – versions prior to 16.0.11
- FreePBX Security-Reporting missedcall (FreePBX 16) – versions prior to 17.0.6
- FreePBX Security-Reporting tts (FreePBX 17) – versions prior to 17.0.6
- FreePBX Security-Reporting tts (FreePBX 16) – versions prior to 16.0.6
- FreePBX Security-Reporting music (FreePBX 17) – versions prior to 17.0.7
- FreePBX Security-Reporting framework (FreePBX 16) – versions prior to 16.0.47
- FreePBX Security-Reporting framework (FreePBX 17) – versions prior to 17.0.30
The Cyber Centre encourages users and administrators to review the web links provided, apply the necessary updates and perform the suggested mitigations.
- Unauthenticated remote code execution in FreePBX UCP via socket.io namespace auth bypass and AMI action injection
- Unauthenticated SQL injection in FreePBX missedcall via inbound Caller ID name leads to administrator takeover
- Authenticated TTS AGI Command Injection Through TTS Name
- Authenticated FreePBX Music RCE via mpg123 and Asterisk Call Files
- Authenticated Framework AUTHTYPE Can Be Restored From a Crafted Backup
- FreePBX Security Advisories