Home / Vulnerability Intelligence / CVE-2026-28287

CVE-2026-28287 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 6, 2026

FreePBX - Command Injection

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

FreePBX 16.0.17.2 to <16.0.20 and 17.0.2.4 to <17.0.5 contain multiple command injection vulnerabilities in the recordings module, letting remote attackers execute arbitrary commands, exploit requires crafted input.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 10.9%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.

Mitigation

Upgrade to versions 16.0.20 or 17.0.5 or later.

References

https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9vv6-h8v6-rp4q

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-28287 - High (8.8) FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28287/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28287
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: confirmed
EPSS: 10.9%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

10.9%Probability of exploitation in the next 30 days