FreePBX api
0 remedies
cpe:2.3:a:freepbx:freepbx:*:*:*:*:*:*:*
0 remedies
- <= 17.0.8
FreePBX API Module Command Injection Vulnerability
Vulnerability
A command injection vulnerability has been identified in the FreePBX API module, affecting versions through 17.0.8. The issue arises in the initiateGqlAPIProcess() function, where GraphQL mutation input fields are directly passed to shell_exec() without proper sanitization or escaping. This vulnerability allows authenticated users with a valid bearer token to execute arbitrary commands on the host system as the web server user.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the underlying host as the web server user.
Reproduction
To reproduce this vulnerability, an authenticated user must send a GraphQL mutation called 'moduleOperations' with backtick-wrapped commands in the 'module' field. The 'initiateGqlAPIProcess' function will execute the commands on the server via 'shell_exec()', leading to command injection.
Remediation
Users can update to FreePBX API module version 17.0.9 or later, where this vulnerability has been patched.
Added: Apr 21, 2026, 2:40 PM
Updated: Apr 21, 2026, 2:40 PM
Vulnerability Rating
Custom Algorithm
spread
4.5impact
10.0exploitability
5.9remediation
0.0relevance
6.4threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.