{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T15:28:40.648Z", "datePublished": "2026-03-05T18:22:38.865Z", "dateUpdated": "2026-03-07T04:55:26.005Z"}, "containers": {"cna": {"title": "FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj"}], "affected": [{"vendor": "FreePBX", "product": "security-reporting", "versions": [{"version": ">= 16.0.17.2, < 16.0.20", "status": "affected"}, {"version": ">= 17.0.2.4, < 17.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:22:38.865Z"}, "descriptions": [{"lang": "en", "value": "FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5."}], "source": {"advisory": "GHSA-f558-mp87-58vj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-28209"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-07T04:55:26.005Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T15:58:37.165778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:58:38.130Z"}}], "cna": {"title": "FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration", "source": {"advisory": "GHSA-f558-mp87-58vj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FreePBX", "product": "security-reporting", "versions": [{"status": "affected", "version": ">= 16.0.17.2, < 16.0.20"}, {"status": "affected", "version": ">= 17.0.2.4, < 17.0.5"}]}], "references": [{"url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj", "name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:22:38.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28209", "state": "PUBLISHED", "dateUpdated": "2026-03-07T04:55:26.005Z", "dateReserved": "2026-02-25T15:28:40.648Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T18:22:38.865Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "matchCriteriaId": "591ED4D2-563D-473C-9ABE-4B186BB1BDAC", "versionEndExcluding": "16.0.20", "versionStartIncluding": "16.0.17.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6ADC9A7-6CF7-4522-9730-4A1AFDA10984", "versionEndExcluding": "17.0.5", "versionStartIncluding": "17.0.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5."}], "id": "CVE-2026-28209", "lastModified": "2026-03-06T18:45:06.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:14.560", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[16.0.17.2,16.0.20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17.0.2.4,17.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "security-reporting", "source": "cna", "vendor": "FreePBX"}, "product": "security-reporting", "vendor": "freepbx"}], "analysis": {"en": {"generated_at": "2026-04-16T12:17:46.139643+00:00", "value": {"mitigation_remediation": ["Upgrade FreePBX to at least version 16.0.20 or 17.0.5, which contain the full fix for the command injection point.", "If upgrading immediately is not feasible, disable the ElevenLabs Text-to-Speech integration in the recordings module until the patch is applied.", "Ensure that only trusted administrators have access to the recordings configuration to prevent unauthorized injection attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the FreePBX platform under the FreePBX:security\u2011reporting vendor. All releases between 16.0.17.2 and the year\u2011end of 16.0.19, and between 17.0.2.4 and 17.0.4 are vulnerable. Versions 16.0.20 and later, and 17.0.5 and later include the patch that eliminates the injection point.", "description_and_impact": "FreePBX contains a command injection flaw in the ElevenLabs Text-to-Speech (TTS) integration within the recordings module, enabling attackers to run arbitrary system commands on the server. The vulnerability would allow full compromise of the affected FreePBX instance, giving attackers complete read, modify and execute capabilities. The weakness is consistent with CWE\u201178, highlighting improper handling of system commands without proper sanitization. The impact is therefore Local Integrity and Confidentiality loss, with possible Remote Code Execution when an attacker succeeds.", "risk_and_exploitability": "The CVSS score of 7.5 conveys a high severity, while the EPSS assessment of less than 1% suggests that active exploitation is currently unlikely at scale, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw can be leveraged once an attacker gains authenticated access to the recordings configuration or can interact with the TTS interface, which is often exposed over the web to privileged users. The likely attack path is remote control via the web interface that passes unsanitized arguments to the elevenlabs integration. Given the high severity and the potential for full system takeover, any user who can run the TTS function must consider this a critical risk."}}}}, "created": "2026-03-06T15:01:31.829831+00:00", "updated": "2026-04-16T12:30:06.107593+00:00", "vendors": ["freepbx", "freepbx$PRODUCT$security-reporting"]}