<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>CVE-2026-9586 on SRA Labs | Cybersecurity Research &amp; Innovation by Security Risk Advisors</title>
    <link>https://labs.sra.io/tags/cve-2026-9586/</link>
    <description>Recent content in CVE-2026-9586 on SRA Labs | Cybersecurity Research &amp; Innovation by Security Risk Advisors</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Fri, 17 Jul 2026 12:00:00 +0000</lastBuildDate><atom:link href="https://labs.sra.io/tags/cve-2026-9586/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Advisory: Sangoma Switchvox SMB</title>
      <link>https://labs.sra.io/posts/switchvox/</link>
      <pubDate>Fri, 17 Jul 2026 12:00:00 +0000</pubDate>
      
      <guid>https://labs.sra.io/posts/switchvox/</guid>
      <description>&lt;h1 id=&#34;summary&#34;&gt;Summary&lt;/h1&gt;
&lt;p&gt;SRA has identified multiple vulnerabilities in Sangoma Switchvox SMB that can lead to stored and reflected cross-site scripting (XSS), SQL injection (SQLi), remote code execution (RCE), and local file inclusion (LFI).&lt;/p&gt;
&lt;h1 id=&#34;cve-identifiers&#34;&gt;CVE Identifiers&lt;/h1&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;CVE ID&lt;/th&gt;
          &lt;th&gt;CVE Name&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9585&lt;/td&gt;
          &lt;td&gt;Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9586&lt;/td&gt;
          &lt;td&gt;Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9587&lt;/td&gt;
          &lt;td&gt;Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9588&lt;/td&gt;
          &lt;td&gt;Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;h1 id=&#34;vulnerability-details--description&#34;&gt;Vulnerability Details / Description&lt;/h1&gt;
&lt;h2 id=&#34;cve-2026-9585-unauthenticated-reflected-cross-site-scripting-xss-in-switchvox-smb-web-portal&#34;&gt;CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/h2&gt;
&lt;p&gt;An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 (104997). The application fails to properly sanitize the portal parameter supplied to the invalid_browser and invalid_browser_login handlers. User-supplied data is reflected into JavaScript generated by the application, allowing attacker-controlled script execution within a victim&amp;rsquo;s browser.&lt;/p&gt;</description>
      <content>&lt;h1 id=&#34;summary&#34;&gt;Summary&lt;/h1&gt;
&lt;p&gt;SRA has identified multiple vulnerabilities in Sangoma Switchvox SMB that can lead to stored and reflected cross-site scripting (XSS), SQL injection (SQLi), remote code execution (RCE), and local file inclusion (LFI).&lt;/p&gt;
&lt;h1 id=&#34;cve-identifiers&#34;&gt;CVE Identifiers&lt;/h1&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;CVE ID&lt;/th&gt;
          &lt;th&gt;CVE Name&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9585&lt;/td&gt;
          &lt;td&gt;Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9586&lt;/td&gt;
          &lt;td&gt;Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9587&lt;/td&gt;
          &lt;td&gt;Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2026-9588&lt;/td&gt;
          &lt;td&gt;Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;h1 id=&#34;vulnerability-details--description&#34;&gt;Vulnerability Details / Description&lt;/h1&gt;
&lt;h2 id=&#34;cve-2026-9585-unauthenticated-reflected-cross-site-scripting-xss-in-switchvox-smb-web-portal&#34;&gt;CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/h2&gt;
&lt;p&gt;An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 (104997). The application fails to properly sanitize the portal parameter supplied to the invalid_browser and invalid_browser_login handlers. User-supplied data is reflected into JavaScript generated by the application, allowing attacker-controlled script execution within a victim&amp;rsquo;s browser.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Severity&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The CVSS base score of this vulnerability has been calculated to be 8.6 (High)&lt;/p&gt;
&lt;p&gt;CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:L&lt;/p&gt;
&lt;h2 id=&#34;cve-2026-9586-unauthenticated-sql-injection-leading-to-remote-code-execution-in-switchvox-smb&#34;&gt;CVE-2026-9586 Unauthenticated SQL Injection Leading to Remote Code Execution in Switchvox SMB&lt;/h2&gt;
&lt;p&gt;An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The /pa endpoint processes XML content beginning with &lt;PolycomIPPhone&gt; and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated remote attacker can execute arbitrary SQL statements against the backend PostgreSQL database using a single crafted request, including database operations and remote code execution.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Severity&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The CVSS base score of this vulnerability has been calculated to be 9.3 (Critical)&lt;/p&gt;
&lt;p&gt;CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N&lt;/p&gt;
&lt;h2 id=&#34;cve-2026-9587-authenticated-local-file-inclusion-lfi-in-switchvox-smb-web-portal&#34;&gt;CVE-2026-9587 Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal&lt;/h2&gt;
&lt;p&gt;An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997). The play_file functionality accepts user-controlled input through the sound_path parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying absolute paths, an authenticated attacker can retrieve files outside the intended directory scope.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Severity&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The CVSS base score of this vulnerability has been calculated to be 7.1 (High)&lt;/p&gt;
&lt;p&gt;CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N&lt;/p&gt;
&lt;h2 id=&#34;cve-2026-9588-authenticated-stored-cross-site-scripting-xss-in-switchvox-smb-web-portal&#34;&gt;CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal&lt;/h2&gt;
&lt;p&gt;A stored cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition 8.3 (104997) within the voicemail notification template functionality. The submit_modify_voicemail_template endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious JavaScript supplied through the template_text parameter to be stored server-side and subsequently rendered to other users.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Severity&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The CVSS base score of this vulnerability has been calculated to be 7.0 (High)&lt;/p&gt;
&lt;p&gt;CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:L&lt;/p&gt;
&lt;h1 id=&#34;affected-versions-and-models&#34;&gt;Affected Versions and Models&lt;/h1&gt;
&lt;p&gt;Sangoma Switchvox SMB from 8.3 (104997) before 8.4.0.2.&lt;/p&gt;
&lt;h1 id=&#34;mitre-cwe-weakness-enumeration&#34;&gt;MITRE CWE Weakness Enumeration&lt;/h1&gt;
&lt;p&gt;CVE-2026-9585&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CWE-79 Improper neutralization of input during web page generation (&amp;lsquo;cross-site scripting&amp;rsquo;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;CVE-2026-9586&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CWE-89 Improper neutralization of special elements used in an SQL command (&amp;lsquo;SQL injection&amp;rsquo;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;CVE-2026-9587&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CWE-73 External control of file name or path&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;CVE-2026-9588&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CWE-79 Improper neutralization of input during web page generation (&amp;lsquo;cross-site scripting&amp;rsquo;)&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id=&#34;remediation-options&#34;&gt;Remediation Options&lt;/h1&gt;
&lt;p&gt;Update Sangoma Switchvox SMB to 8.4.0.2 or later.&lt;/p&gt;
&lt;h1 id=&#34;source&#34;&gt;Source&lt;/h1&gt;
&lt;p&gt;These vulnerabilities were discovered by Cameron Lischke as part of research performed by Security Risk Advisors.&lt;/p&gt;
&lt;h1 id=&#34;timeframe&#34;&gt;Timeframe&lt;/h1&gt;
&lt;ul&gt;
&lt;li&gt;May 11-26 2026 - SRA submits vulnerabilities to vendor&lt;/li&gt;
&lt;li&gt;June 2, 2026 - Vendor acknowledges disclosed vulnerabilities and intent to fix.&lt;/li&gt;
&lt;li&gt;July 14, 2026 - Vendor releases fix&lt;/li&gt;
&lt;li&gt;July 17, 2026 - SRA publishes CVEs and advisory&lt;/li&gt;
&lt;/ul&gt;
</content>
    </item>
    
  </channel>
</rss>
