{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "16.0.17.2" }, { "fixed": "16.0.20" }, { "introduced": "17.0.2.4" }, { "fixed": "17.0.5" } ] }, "events": [ { "introduced": "0" }, { "fixed": "8e0338c7d9462682a97c7cb31c7f98b9731a0258" }, { "introduced": "0" }, { "fixed": "64a49f43b78f0fb20ec8ed9bddbc6f2b6d93bc6d" } ], "repo": "https://github.com/freepbx/framework", "type": "GIT" } ] } ], "aliases": [ "GHSA-f558-mp87-58vj" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-78" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28209.json" }, "details": "FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.", "id": "CVE-2026-28209", "modified": "2026-04-01T23:10:40.488775907Z", "published": "2026-03-05T18:22:38.865Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28209.json" }, { "type": "ADVISORY", "url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-f558-mp87-58vj" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28209" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration" }