CVE-2026-40520

HIGH EPSS 68.7%
Published Apr 21, 20262mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 4.0
High
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL moduleOperations mutation with backtick-wrapped commands in the module field to execute arbitrary commands on the underlying host as the web server user.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
68.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
freepbxapi* <17.0.8

References 4

  • github.com https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/Api.class.php#L546C1-L554C3
    Product
  • github.com https://github.com/FreePBX/api/blob/5f194e39a47e5481e8947f9694304d32724175f6/ApiGqlHelper.class.php#L34C1-L36C136
    Product
  • github.com https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6
    Patch
  • vulncheck.com https://www.vulncheck.com/advisories/freepbx-api-module-command-injection-via-graphql
    Third Party Advisory

Remediation

  • github.com https://github.com/FreePBX/api/commit/5f194e39a47e5481e8947f9694304d32724175f6
    Patch