CVE-2026-26978
Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6.
| CWE | CWE-502 |
| Vendor | freepbx |
| Product | security-reporting |
| Published | May 18, 2026 |
| Last Updated | May 20, 2026 |
Get instant alerts for freepbx security-reporting
Be the first to know when new unknown vulnerabilities affecting freepbx security-reporting are published โ delivered to Slack, Telegram or Discord.