CVE-2026-28210

Undergoing Analysis Undergoing Analysis - In Progress

SQL Injection in FreePBX CDR Module Allows Data Manipulation

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: GitHub, Inc.

Description

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-05

Last Modified

2026-03-06

Generated

2026-06-16

AI Q&A

2026-03-05

EPSS Evaluated

2026-06-14

NVD

CVE-2026-28210

EUVD

EUVD-2026-9857

Affected Vendors & Products

Vendor	Product	Version / Range
sangoma	freepbx	From 17.0 (inc) to 17.0.7 (exc)
sangoma	freepbx	From 16.0 (inc) to 16.0.49 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-28210 is an authenticated SQL injection vulnerability in the FreePBX cdr (Call Data Record) module affecting versions prior to 16.0.49 and 17.0.7.

The vulnerability occurs due to insufficient input sanitization of certain LIMIT parameters in SQL queries, specifically in the file page.cdr.php at lines 696 and 702.

This flaw allows attackers who have valid credentials and high privileges to inject malicious SQL code via user-controlled input, enabling both UNION-based and Time-Based Blind SQL injection attacks.

As a result, attackers can view or manipulate database data directly.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with authenticated access and high privileges to execute arbitrary SQL commands on the database.

Attackers can view sensitive data stored in the database.
Attackers can manipulate or alter database data, potentially disrupting system operations.
The integrity, confidentiality, and availability of the affected system can be compromised.

Exploitation requires authentication but no user interaction, making it easier for attackers with access to cause damage.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is an authenticated SQL injection in the FreePBX cdr module, specifically involving insufficient input sanitization of certain LIMIT parameters in SQL queries within page.cdr.php at lines 696 and 702.

Detection involves verifying if your FreePBX installation is running a vulnerable version (prior to 16.0.49 or 17.0.7) and monitoring for suspicious authenticated requests to the cdr module that include unusual or crafted LIMIT parameters.

While no explicit detection commands are provided, you can check the FreePBX version via the command line or web interface to confirm if it is vulnerable.

Check FreePBX version: Use the FreePBX web interface or run `fwconsole --version` on the server.
Monitor web server logs for authenticated requests to page.cdr.php with suspicious parameters, especially those containing SQL keywords or unusual LIMIT values.
Use web application firewall (WAF) logs or IDS/IPS systems to detect SQL injection patterns targeting the cdr module.

Mitigation Strategies

To mitigate this vulnerability immediately, update the FreePBX cdr module to version 16.0.49 or 17.0.7 where the issue has been patched.

Additionally, restrict access to the FreePBX Administrator Control Panel to prevent unauthorized or unnecessary access.

Apply the official update to the cdr module to version 16.0.49 or 17.0.7.
Restrict access to the Admin Control Panel using user management controls.
Implement VPN access for administrative functions.
Enable Multi-Factor Authentication (MFA) and SAML authentication for administrators.
Use firewall modules to limit network access to the FreePBX administration interface.

Hi! I’m here to help you understand CVE-2026-28210. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-28210

SQL Injection in FreePBX CDR Module Allows Data Manipulation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart