CVE-2026-49472
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
FreeSWITCH prior to version 1.11.0 included a vulnerable function PREFIX(prologTok)() that was cloned from an outdated and vulnerable version in libexpat. This function did not receive the corresponding security patch.
Risk Assessment
Organizations using FreeSWITCH versions prior to 1.11.0 are at risk of potential attacks exploiting this vulnerability, which could lead to unauthorized access or other security threats.
Recommendation
It is recommended to upgrade FreeSWITCH to version 1.11.0 or later to mitigate this vulnerability.
Original NVD description (English source)
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.

