CVE-2026-49472

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.

Vulnerability Details

Published Date

June 09, 2026

Last Modified

June 10, 2026

CWE ID

CWE-116

Source

NVD

Vendor

signalwire

Product

freeswitch

External References

https://github.com/signalwire/freeswitch/releases/tag/v1.11.0
https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq

CVE-2026-49472

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment