LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-28210

CVE-2026-28210 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 6, 2026

FreePBX - SQL Injection

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

FreePBX < 16.0.49 and < 17.0.7 contains a SQL injection caused by improper sanitization in the cdr module, letting attackers execute arbitrary SQL queries, exploit requires crafted input.

Severity & Score

Severity: High
CVSS Score: 8.8
EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary SQL queries, potentially leading to data disclosure or modification.

Mitigation

Upgrade to versions 16.0.49 or 17.0.7 or later.

References

Social Media Activity(1 post)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 7, 2026

šŸŸ  CVE-2026-28210 - High (8.8) FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-28210/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-28210
Severity
High
CVSS Score
8.8
Type
sql_injection
Status
confirmed
EPSS
4.7%
Social Posts
1

CWE

  • CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days