FreePBX CVE debriefs

CVE-2026-26978

CVE-2026-26978 affects FreePBX backup restore handling. In affected versions, a crafted tar archive can cause data to be passed into PHP unserialize() without validation, class restrictions, or integrity checks during restore. That can lead to remote code execution as the web server user when an authenticated user with sufficient backup/restore access processes a malicious backup. The issue was published [truncated]