PatchSiren cyber security CVE debrief
CVE-2026-9588 Sangoma CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997) within the voicemail notification template functionality. The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users. This vulnerability can lead to unauthorized actions or data breaches. Limited evidence suggests that Sangoma Switchvox SMB Edition 8.3 (104997) is affected.
- Vendor
- Sangoma
- Product
- Switchvox SMB Edition
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Sangoma Switchvox SMB Edition 8.3 (104997) should be aware of this stored XSS vulnerability and take steps to mitigate it. This includes applying vendor patches or updates when available, restricting access to the voicemail notification template functionality, implementing input validation and sanitization for user-supplied content, and monitoring for suspicious activity. Security teams and platform operators should prioritize vulnerability management and review compensating controls for exposed systems.
Technical summary
The vulnerability exists in the voicemail notification template functionality of Sangoma Switchvox SMB Edition 8.3 (104997). The submit_modify_voicemail_template endpoint does not properly sanitize HTML content provided by authenticated users, allowing malicious JavaScript code to be stored and rendered to other users. This stored cross-site scripting (XSS) vulnerability can be exploited through the template_text parameter, potentially leading to unauthorized actions or data breaches.
Defensive priority
High
Recommended defensive actions
- Apply vendor patches or updates when available
- Restrict access to the voicemail notification template functionality
- Implement input validation and sanitization for user-supplied content
- Monitor for suspicious activity and implement compensating controls
- Review official advisories for scope and guidance
- Confirm whether affected product deployments exist in managed environments
- Track exceptions and retest remediated assets
Evidence notes
Evidence is limited; further verification is required to confirm the full scope of the vulnerability. The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users. Limited evidence suggests that Sangoma Switchvox SMB Edition 8.3 (104997) is affected. Defenders should verify the existence of affected deployments and review official advisories for scope and guidance.
Official resources
-
CVE-2026-9588 CVE record
CVE.org
-
CVE-2026-9588 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
57dba5dd-1a03-47f6-8b36-e84e47d335d8
-
Source reference
57dba5dd-1a03-47f6-8b36-e84e47d335d8
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:18.413Z and has not been modified since then.