CVE-2026-9586
Received Received - Intake

Unauthenticated SQL Injection in Sangoma Switchvox SMB Edition

Vulnerability report for CVE-2026-9586, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Security Risk Advisors

Description

An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with <PolycomIPPhone> and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
sangoma switchvox to 8.4.0.2 (exc)
sangoma switchvox 8.4.0.2
sangoma switchvox_smb_edition 8.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an unauthenticated SQL injection vulnerability in Sangoma Switchvox SMB Edition 8.3. The /pa endpoint processes XML content with a PhoneIP value that is directly inserted into PostgreSQL queries without sanitization. An attacker can exploit this to execute arbitrary SQL commands, including database operations and remote code execution, using a single crafted request.

Detection Guidance

Detecting this vulnerability requires checking for unauthenticated SQL injection attempts targeting the /pa endpoint in Sangoma Switchvox SMB Edition 8.3. Monitor PostgreSQL logs for suspicious queries containing <PolycomIPPhone> tags or unusual input in the PhoneIP field. Use network traffic inspection tools like tcpdump or Wireshark to capture and analyze requests to /pa with XML payloads.

Impact Analysis

An attacker could steal, modify, or delete sensitive data from the database, install malware, or take control of the system. Since no authentication is required, any external attacker with network access to the vulnerable endpoint can exploit this issue.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or health data, violating GDPR and HIPAA requirements for data protection and access controls. Organizations may face fines, legal penalties, and reputational damage if exploited.

Mitigation Strategies

Immediately apply the latest security patch from Sangoma for Switchvox SMB Edition 8.3. If a patch is unavailable, restrict network access to the /pa endpoint using firewalls or disable it entirely. Implement input validation for XML content and enforce strict parameterized queries in PostgreSQL. Consider isolating the database server from untrusted networks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9586. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart