CVE-2026-9588
Received Received - Intake

Stored XSS in Sangoma Switchvox SMB Edition

Vulnerability report for CVE-2026-9588, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Security Risk Advisors

Description

A stored cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997) within the voicemail notification template functionality.Β The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
sangoma switchvox_smb to 8.4.0.2 (exc)
sangoma switchvox_smb From 8.4.0.2 (inc)
sangoma switchvox_smb_edition 8.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a stored cross-site scripting (XSS) vulnerability in Sangoma Switchvox SMB Edition 8.3. It allows authenticated users to inject malicious JavaScript into voicemail notification templates via the template_text parameter. The unsanitized input is stored on the server and later rendered to other users, potentially executing arbitrary scripts in their browsers.

Detection Guidance

Check Sangoma Switchvox SMB Edition 8.3 (104997) for unauthorized modifications to voicemail notification templates. Inspect the submit_modify_voicemail_template endpoint for unsanitized HTML or JavaScript in the template_text parameter. Review server logs for suspicious activity related to template changes.

Impact Analysis

An attacker could steal session cookies, redirect users to malicious sites, or perform actions on their behalf. Users with access to the Switchvox system could have sensitive data exposed or their accounts compromised. The impact depends on user privileges and system configuration.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or health data, violating GDPR and HIPAA requirements for data protection. Organizations may face fines or penalties for failing to secure user data adequately.

Mitigation Strategies

Apply vendor patches if available. Disable or restrict access to the voicemail notification template functionality until patched. Implement input validation to sanitize HTML/JavaScript in the template_text parameter. Monitor for unauthorized template modifications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart