🔐 CVE Alert

CVE-2026-9586

UNKNOWN 0.0

Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with <PolycomIPPhone> and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.

CWE CWE-89
Vendor sangoma
Product switchvox smb edition
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for sangoma switchvox smb edition

Be the first to know when new unknown vulnerabilities affecting sangoma switchvox smb edition are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Sangoma / Switchvox SMB Edition
8.3 (104997) < 8.4.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗
sangomakb.atlassian.net: https://sangomakb.atlassian.net/wiki/spaces/Switchvox/pages/1802371073/Switchvox+-+Release+Notes+Version+8.4.0.2+July+14+2026 labs.sra.io: https://labs.sra.io/posts/switchvox/

Credits

Cam Lischke (SRA)