CVE-2026-44239
Path Traversal in FreePBX Dashboard Module
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freepbx | freepbx | to 16.0.22 (exc) |
| freepbx | freepbx | to 17.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is an Authenticated Local File Inclusion issue in the FreePBX Dashboard module. It occurs because the getcontent AJAX handler uses user-supplied input from the $_REQUEST['rawname'] parameter in an include() call without proper path sanitization.
An attacker with valid credentials can manipulate this parameter using path traversal sequences like ../ to include arbitrary .class.php files from the filesystem. The PHP code in the included file executes before any error occurs, allowing the attacker to execute arbitrary code on the host system.
This affects FreePBX versions prior to 16.0.22 and 17.0.5 and is fixed in those versions.
How can this vulnerability impact me? :
This vulnerability allows an attacker with valid credentials to execute arbitrary PHP code on the server hosting FreePBX. This can lead to unauthorized command execution on the host as the webserver user (typically 'asterisk').
Such code execution can compromise the confidentiality, integrity, and availability of the system, potentially allowing attackers to access sensitive data, disrupt telephony services, or further escalate privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the manipulation of the $_REQUEST['rawname'] parameter in the FreePBX Dashboard module's getcontent AJAX handler to include arbitrary PHP files via path traversal sequences.
To detect exploitation attempts on your system or network, you can monitor web server logs for suspicious requests to the Dashboard module's getcontent AJAX handler that include path traversal patterns such as '../' in the rawname parameter.
Example command to search web server logs for such attempts:
- grep -i "rawname=.*\.\.\/" /var/log/httpd/access_log
- grep -i "rawname=.*\.\.\/" /var/log/apache2/access.log
Additionally, you can use network monitoring tools or intrusion detection systems to alert on HTTP requests containing path traversal sequences targeting the Dashboard module.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should update the FreePBX Dashboard module to version 16.0.22 or later, or 17.0.5 or later, where the issue is fixed.
Additionally, restrict access to the FreePBX Administrator Control Panel to trusted users only.
Deny access to the FreePBX Administrator Control Panel from untrusted networks to reduce the attack surface.