Summary

SRA has identified multiple vulnerabilities in Sangoma Switchvox SMB that can lead to stored and reflected cross-site scripting (XSS), SQL injection (SQLi), remote code execution (RCE), and local file inclusion (LFI).

CVE Identifiers

CVE ID CVE Name
CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal
CVE-2026-9586 Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB
CVE-2026-9587 Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal
CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal

Vulnerability Details / Description

CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal

An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 (104997). The application fails to properly sanitize the portal parameter supplied to the invalid_browser and invalid_browser_login handlers. User-supplied data is reflected into JavaScript generated by the application, allowing attacker-controlled script execution within a victim’s browser.

Severity

The CVSS base score of this vulnerability has been calculated to be 8.6 (High)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L

CVE-2026-9586 Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB

An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.

Severity

The CVSS base score of this vulnerability has been calculated to be 9.3 (Critical)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE-2026-9587 Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal

An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The play_file functionality accepts user-controlled input through the sound_path parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying absolute paths, an authenticated attacker can retrieve files outside the intended directory scope.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.1 (High)

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal

A stored cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997) within the voicemail notification template functionality. The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.0 (High)

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:L

Affected Versions and Models

Sangoma Switchvox SMB from 8.3 (104997) before 8.4.0.2.

MITRE CWE Weakness Enumeration

CVE-2026-9585

  • CWE-79 Improper neutralization of input during web page generation (‘cross-site scripting’)

CVE-2026-9586

  • CWE-89 Improper neutralization of special elements used in an SQL command (‘SQL injection’)

CVE-2026-9587

  • CWE-73 External control of file name or path

CVE-2026-9588

  • CWE-79 Improper neutralization of input during web page generation (‘cross-site scripting’)

Remediation Options

Update Sangoma Switchvox SMB to 8.4.0.2 or later.

Source

These vulnerabilities were discovered by Cameron Lischke as part of research performed by Security Risk Advisors.

Timeframe

  • May 11-26 2026 - SRA submits vulnerabilities to vendor
  • June 2, 2026 - Vendor acknowledges disclosed vulnerabilities and intent to fix.
  • July 14, 2026 - Vendor releases fix
  • July 17, 2026 - SRA publishes CVEs and advisory