PatchSiren cyber security CVE debrief
CVE-2026-49472 signalwire CVE debrief
CVE-2026-49472 is a vulnerability in FreeSWITCH, a Software Defined Telecom Stack. The vulnerability is caused by a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
- Vendor
- signalwire
- Product
- freeswitch
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of FreeSWITCH versions prior to 1.11.0 should be aware of this vulnerability and take steps to upgrade to the latest version.
Technical summary
The vulnerability is caused by a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c. This function was cloned from an outdated and vulnerable version in libexpat/libexpat and did not receive the corresponding security patch.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to FreeSWITCH version 1.11.0 or later.
Evidence notes
The vulnerability was patched in version 1.11.0.
Official resources
-
CVE-2026-49472 CVE record
CVE.org
-
CVE-2026-49472 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-49472 was published on 2026-06-09T17:17:47.243Z and modified on 2026-06-10T15:06:00.993Z.