CVE-2026-44239
FreePBX: Authenticated Local File Inclusion in Dashboard Module
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.
| CWE | CWE-98 |
| Vendor | freepbx |
| Product | security-reporting |
| Published | May 29, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for freepbx security-reporting
Be the first to know when new unknown vulnerabilities affecting freepbx security-reporting are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FreePBX / security-reporting
< 16.0.22 >= 17.0.1, < 17.0.5