{"uuid": "50056fe8-3585-4234-baf5-de3fedd3ede8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-m55x-h47x-v3gx", "type": "seen", "source": "https://gist.github.com/ichintu/d777ea5b68bd57d9ca8afc2774b06bad", "content": "**FreePBX & \u201cFreePBX\u201d group\u202f\u2013 15\u202fMay\u202f2026**\n\n| Issue | Affected releases | Fix | Severity | Notes |\n|-------|-------------------|-----|----------|-------|\n| **AV26\u2013474** \u2013 Unauthenticated UCP access via hard\u2011coded \u201cuserman\u201d credentials | \u2022\u202fFreePBX\u202f16\u202fSecure\u2011Reporting\u202f\u2264\u202f16.0.45\u2022\u202fFreePBX\u202f17\u202fSecure\u2011Reporting\u202f\u2264\u202f17.0.7 | 1. Read full advisory on GitHub.2. Apply the latest patches for the affected version.3. Follow Akamai Cyber Centre mitigation guidance. | High (CVSS\u202f8.7) | Download the advisory:  |\n\n**Other CVEs disclosed on the same day**\n\n| CVE | Product | Issue | Severity | Remediation |\n|-----|--------|-------|----------|-------------|\n| **CVE\u20112026\u20118686** | coreMQTT <\u202f5.0.1 | MQTT\u202fv5\u202fproperty parser skips bounds check \u2192 buffer overflow, crash, DoS | 8.7 | Upgrade to 5.0.1+ |\n| **CVE\u20112026\u201146364** | phpMyFAQ <\u202f4.1.2 | Unauthenticated SQLi via `/api/captcha` + User\u2011Agent header \u2192 time\u2011based blind queries | 9.8 | Upgrade to 4.1.2+ |\n| **CVE\u20112026\u201145010** | phpMyFAQ \u2264\u202f4.1.2 | Unauthenticated 2FA brute\u2011force on `/admin/check` \u2192 6\u2011digit TOTP can be cracked | 9.1 | Upgrade to 4.1.2+ or patch |\n| **CVE\u20112021\u201147966** | PHP Timeclock 1.04 | Blind SQLi in `login_userid` (no auth required) | 8.8 | Patch or upgrade |\n| **CVE\u20112021\u201147965** | WP Super Edit\u202f2.5.4 | Unrestricted file\u2011upload via FCKeditor \u2192 RCE | 9.8 | Upgrade or disable editor |\n| **CVE\u20112021\u201147964** | Schlix\u202fCMS\u202f2.2.6\u20116 | RCE via crafted ZIP \u2192 malicious PHP in `packageinfo.inc` | 8.8 | Upgrade >\u202f2.2.6\u20116 |\n| **CVE\u20112021\u201147959** | WPGraphQL\u202f1.3.5 | Unauth DoS via repeated fields in batch queries | 8.7 | Upgrade |\n| **CVE\u20112026\u20118695** | radare2\u202fv6.1.5 | Use\u2011after\u2011free in `gdbr_threads_list()` \u2192 potential DoS / UAC | 8.7 | Upgrade to 6.1.6+ |\n| **CVE\u20112026\u201145038** | Tabby\u202f<\u202f1.0.233 | Buffer\u2011overflow on control\u2011char paths \u2192 arbitrary code | 8.4 | Upgrade to 1.0.233 |\n| **CVE\u20112026\u201145035** | Tabby\u202f<\u202f1.0.233 | Zero\u2011click RCE via `tabby://run?command=` | 9.4 | Upgrade |\n| **CVE\u20112026\u201144717** | MCP Calculate Server \u2264\u202f0.1.0 | Remote code execution via unsanitized `eval()` of math expressions | 9.8 | Upgrade to 0.1.1 |\n| **CVE\u20112026\u201144699** | libjwt 3.0.0\u20113.3.2 | JWT algorithm\u2011confusion: missing `alg` causes HS256 with zero\u2011len key | 8.8 | Upgrade to \u2265\u202f3.4.0 |\n| **CVE\u20112026\u201142155** | Magento LTS <\u202f20.18.0 | Session ID predictability (MD5\u2011based) \u2192 brute\u2011force hijacking | 9.3 | Upgrade to 20.18.0 |\n| **CVE\u20112026\u201141258** | OpenMRS 2.7.0\u20112.7.8 / 2.8.0\u20112.8.5 | Velocity SSTI in `ConceptReferenceRangeUtility.evaluateCriteria()` \u2192 RCE | 9.8 | Upgrade to 2.7.9 / 2.8.6 |\n| **CVE\u20112026\u201146508** | Turborepo LSP VS\u202fCode extension <\u202f2.9.14000 | Command injection via workspace settings or task names | 8.4 | Upgrade to 2.9.14000 |\n| **CVE\u20112026\u20112031** | Google Cloud App Integration (pre\u20112026\u201101\u201123) | Unauth API calls \u2192 read sensitive data, run code | 10.0 | Patch releases |\n| **CVE\u20112026\u201134253** | ogg123 (vorbis\u2011tools\u202f1.4.3) | Stack buffer\u2011underflow \u2192 crash / RCE | 8.2 | Patch |\n| **CVE\u20112026\u201144112\u201144118** | OpenClaw AI\u2011agent framework | Multiple RCE / data\u2011exfiltration flaws | 10.0 \u201cCritical\u201d | Patch immediate |\n\n**Action items**\n\n1. **Apply all relevant patches** (FreePBX, PHP, phpMyFAQ, coreMQTT, Tabby, radare2, etc.).  \n2. **Upgrade libraries** that receive long\u2011term maintenance (libjwt, Magento, OpenMRS).  \n3. **Verify** that custom modules or extensions (WP editors, Schlix CMS, Turborepo, etc.) are removed or disabled if upgrades are not yet possible.  \n4. **Follow the Cyber Centre\u2019s mitigation guidance** for FreePBX and any other exposures that claim *fast\u2011track* mitigations.  \n5. **Monitor** public advisories and NIST NVD entries for the above CVEs for any new exploits or additional mitigations.\n\n*All links to the full advisories and remediation details are available in the original posting.*", "creation_timestamp": "2026-05-15T20:01:09.000000Z"}