CVE-2026-9586
Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with <PolycomIPPhone> and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.
| CWE | CWE-89 |
| Vendor | sangoma |
| Product | switchvox smb edition |
| Published | Jul 17, 2026 |
| Last Updated | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for sangoma switchvox smb edition
Be the first to know when new unknown vulnerabilities affecting sangoma switchvox smb edition are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Sangoma / Switchvox SMB Edition
8.3 (104997) < 8.4.0.2
References
Credits
Cam Lischke (SRA)