Advisory: Sangoma Switchvox SMB
Summary⌗
SRA has identified multiple vulnerabilities in Sangoma Switchvox SMB that can lead to stored and reflected cross-site scripting (XSS), SQL injection (SQLi), remote code execution (RCE), and local file inclusion (LFI).
CVE Identifiers⌗
| CVE ID | CVE Name |
|---|---|
| CVE-2026-9585 | Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal |
| CVE-2026-9586 | Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB |
| CVE-2026-9587 | Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal |
| CVE-2026-9588 | Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal |
Vulnerability Details / Description⌗
CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal⌗
An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 (104997). The application fails to properly sanitize the portal parameter supplied to the invalid_browser and invalid_browser_login handlers. User-supplied data is reflected into JavaScript generated by the application, allowing attacker-controlled script execution within a victim’s browser.
Severity
The CVSS base score of this vulnerability has been calculated to be 8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L
CVE-2026-9586 Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB⌗
An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with
Severity
The CVSS base score of this vulnerability has been calculated to be 9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2026-9587 Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal⌗
An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The play_file functionality accepts user-controlled input through the sound_path parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying absolute paths, an authenticated attacker can retrieve files outside the intended directory scope.
Severity
The CVSS base score of this vulnerability has been calculated to be 7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal⌗
A stored cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997) within the voicemail notification template functionality. The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users.
Severity
The CVSS base score of this vulnerability has been calculated to be 7.0 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:L
Affected Versions and Models⌗
Sangoma Switchvox SMB from 8.3 (104997) before 8.4.0.2.
MITRE CWE Weakness Enumeration⌗
CVE-2026-9585
- CWE-79 Improper neutralization of input during web page generation (‘cross-site scripting’)
CVE-2026-9586
- CWE-89 Improper neutralization of special elements used in an SQL command (‘SQL injection’)
CVE-2026-9587
- CWE-73 External control of file name or path
CVE-2026-9588
- CWE-79 Improper neutralization of input during web page generation (‘cross-site scripting’)
Remediation Options⌗
Update Sangoma Switchvox SMB to 8.4.0.2 or later.
Source⌗
These vulnerabilities were discovered by Cameron Lischke as part of research performed by Security Risk Advisors.
Timeframe⌗
- May 11-26 2026 - SRA submits vulnerabilities to vendor
- June 2, 2026 - Vendor acknowledges disclosed vulnerabilities and intent to fix.
- July 14, 2026 - Vendor releases fix
- July 17, 2026 - SRA publishes CVEs and advisory