CVE-2026-44239 | FreePBX up to 16.0.21/17.0.4 Dashboard class.php include rawname filename control (GHSA-hw7v-v2jp-wc4v)

A vulnerability categorized as critical has been discovered in FreePBX up to 16.0.21/17.0.4. Affected by this issue is the function include of the file class.php of the component Dashboard Module. Such manipulation of the argument rawname leads to improper control of filename for include/require statement in php program (‘php remote file inclusion’).

This vulnerability is traded as CVE-2026-44239. The attack may be launched remotely. There is no exploit available.

It is advisable to upgrade the affected component.VulDB Recent EntriesRead More