PatchSiren cyber security CVE debrief
CVE-2026-44239 FreePBX CVE debrief
A path traversal vulnerability in FreePBX Dashboard module's getcontent AJAX handler allows authenticated attackers to execute arbitrary PHP code. The vulnerability exists because the `$_REQUEST['rawname']` parameter is unsafely concatenated into an `include()` call with a `.class.php` suffix, permitting directory traversal via `../` sequences. Successful exploitation requires the attacker to identify or place a `.class.php` file containing malicious PHP code at a predictable filesystem location accessible through traversal. The vulnerability affects FreePBX versions prior to 16.0.22 and 17.0.5.
- Vendor
- FreePBX
- Product
- security-reporting
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
FreePBX administrators, VoIP security teams, and organizations running on-premise PBX infrastructure should prioritize this vulnerability. The attack requires low privileges and has high confidentiality and integrity impact, making it attractive for attackers who have gained any level of authenticated access to the FreePBX web interface.
Technical summary
The FreePBX Dashboard module contains a vulnerable getcontent AJAX handler that performs unsafe file inclusion. The handler takes a user-supplied `rawname` parameter and directly concatenates it into an `include()` statement with a hardcoded `.class.php` extension. Without proper path sanitization, an attacker can inject directory traversal sequences (`../`) to escape the intended module directory and include arbitrary `.class.php` files from the filesystem. When PHP includes a file, the code executes immediately, allowing attackers to achieve code execution even if subsequent class instantiation fails. This represents a classic Local File Inclusion (LFI) vulnerability with code execution impact due to PHP's include behavior.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade FreePBX to version 16.0.22 or 17.0.5 or later to remediate this vulnerability
- If immediate patching is not possible, restrict access to the Dashboard module's AJAX endpoints to trusted administrative IP addresses
- Review web server logs for requests to the getcontent AJAX handler containing path traversal patterns (../ sequences) in the rawname parameter
- Audit filesystem for unexpected .class.php files in web-accessible or predictable locations that could be leveraged for code execution
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts in AJAX requests to the Dashboard module
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-hw7v-v2jp-wc4v. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high impact to confidentiality and integrity. CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) classified as primary weakness.
Official resources
-
CVE-2026-44239 CVE record
CVE.org
-
CVE-2026-44239 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29