CVE-2026-28209
FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.
| CWE | CWE-78 |
| Vendor | freepbx |
| Product | security-reporting |
| Published | Mar 5, 2026 |
| Last Updated | Mar 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for freepbx security-reporting
Be the first to know when new unknown vulnerabilities affecting freepbx security-reporting are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FreePBX / security-reporting
>= 16.0.17.2, < 16.0.20 >= 17.0.2.4, < 17.0.5