High severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-44239

Description

FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FreePBX Dashboard module before 16.0.22 and 17.0.5 allows authenticated path traversal leading to arbitrary PHP file inclusion and code execution.

Vulnerability

In FreePBX Dashboard module prior to versions 16.0.22 and 17.0.5, the getcontent AJAX handler includes PHP files based on user-supplied input without proper path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem [1].

Exploitation

An attacker must be authenticated with a known username. The attacker sends a crafted request to the getcontent AJAX endpoint with the rawname parameter containing path traversal sequences to target a .class.php file. The included file's PHP code executes before the subsequent class instantiation error occurs [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host as the webserver user (typically asterisk). This leads to high impact on confidentiality and integrity, with no impact on availability [1].

Mitigation

Update the Dashboard module to version 16.0.22 or 17.0.5. Additional mitigations include restricting access to the FreePBX Administrator Control Panel via user management, VPN, MFA, or SAML modules, and denying access from hostile networks [1].

References

Authenticated Local File Inclusion in Dashboard Module

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Freepbx/Security Reportinginferred
Range: <16.0.22,<17.0.5
Linux Foundation/Dashboardllm-fuzzy
Range: <16.0.22 || >=17.0.0 <17.0.5

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization on the `$_REQUEST['rawname']` parameter allows path traversal in an `include()` call, enabling arbitrary `.class.php` file inclusion and execution."

Attack vector

An attacker must first authenticate with a known username to the FreePBX Administrator Control Panel. The attacker then sends a crafted AJAX request to the Dashboard module's `getcontent` handler, supplying a `rawname` parameter containing `../` path traversal sequences. The unsanitized input is concatenated into an `include()` call with a `.class.php` suffix, causing the server to load and execute an arbitrary `.class.php` file from the filesystem. The included PHP code executes before the subsequent class instantiation error occurs, allowing command execution as the webserver user (typically `asterisk`) [ref_id=1].

Affected code

The vulnerability resides in the Dashboard module's `getcontent` AJAX handler within `Dashboard.class.php`. The `$_REQUEST['rawname']` parameter is concatenated directly into an `include()` call with a `.class.php` suffix, allowing path traversal via `../` sequences to include arbitrary `.class.php` files from the filesystem. The issue was introduced on or before 2022, as shown in the blame history at line 146 of `Dashboard.class.php` [ref_id=1].

What the fix does

The advisory states the fix is to update the dashboard module to version 16.0.22 or 17.0.5, but the patch diff is not included in the bundle. The remediation closes the vulnerability by sanitizing or validating the `$_REQUEST['rawname']` parameter before it is used in the `include()` call, preventing path traversal sequences from reaching the filesystem. Without the patch, an attacker can include arbitrary `.class.php` files and execute their PHP code [ref_id=1].

Preconditions

authAttacker must have a valid username and be authenticated to the FreePBX Administrator Control Panel
networkAttacker must be able to send HTTP requests to the Dashboard module's getcontent AJAX endpoint
inputThe target system must have a `.class.php` file on the filesystem that the attacker wishes to include

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4vnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000