CVE Catalog

CVE-2026-49472

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

12th percentile - higher than 12% of all known CVEs

Summary

FreeSWITCH prior to version 1.11.0 included a vulnerable function PREFIX(prologTok)() that was cloned from an outdated and vulnerable version in libexpat. This function did not receive the corresponding security patch.

Risk Assessment

Organizations using FreeSWITCH versions prior to 1.11.0 are at risk of potential attacks exploiting this vulnerability, which could lead to unauthorized access or other security threats.

Recommendation

It is recommended to upgrade FreeSWITCH to version 1.11.0 or later to mitigate this vulnerability.

Original NVD description (English source)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS