PatchSiren

OpenSIPS CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH OpenSIPS CVE published 2026-02-25

CVE-2026-25554

CVE-2026-25554 is a SQL injection vulnerability in OpenSIPS versions 3.1 before 3.6.4. The auth_jwt module is affected when db_mode is enabled and a SQL database backend is used. The vulnerability allows an attacker to manipulate the query result and bypass JWT authentication, enabling impersonation of arbitrary identities. This could lead to unauthorized access and potential data breaches. OpenSIPS users [truncated]