Home / Vulnerability Intelligence / CVE-2026-28284

CVE-2026-28284 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 6, 2026

FreePBX - SQL Injection

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

FreePBX < 16.0.10 and < 17.0.5 contains authenticated SQL injection vulnerabilities in the logfiles module, letting authenticated attackers execute arbitrary SQL commands, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.

Mitigation

Upgrade to versions 16.0.10 or 17.0.5 or later.

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-4887-4jwp-327g

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-28284 - High (8.8) FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28284/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28284
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed
EPSS: 2.8%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.8%Probability of exploitation in the next 30 days