[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-46376":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-29T13:18:49.423Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":171,"aliases":172,"duplicate_of":9,"upstream":173,"downstream":174,"duplicates":175,"related":176,"reserved_at":9,"published_at":177,"modified_at":177,"state":178,"summary":179,"references_raw":186,"kevs":192,"epss":9,"epss_history":193,"metrics":194,"affected":198},"CVE-2026-46376","FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-798","Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key.","weakness","Draft","Base","High",[20,118],{"id":21,"name":22,"techniques":23},"CAPEC-191","Read Sensitive Constants Within an Executable",[24],{"id":25,"name":26,"tactics":27,"countermeasures":31},"T1552.001","Credentials In Files",[28],{"id":29,"name":30},"TA0031","Credential Access",[32,37,41,45,50,54,58,63,67,72,76,80,84,89,93,98,102,106,110,114],{"id":33,"name":34,"tactic":35},"D3-CCSA","Credential Compromise Scope Analysis",{"name":36},"Detect",{"id":38,"name":39,"tactic":40},"D3-FA","File Analysis",{"name":36},{"id":42,"name":43,"tactic":44},"D3-FIM","File Integrity Monitoring",{"name":36},{"id":46,"name":47,"tactic":48},"D3-CR","Credential Revocation",{"name":49},"Evict",{"id":51,"name":52,"tactic":53},"D3-ANCI","Authentication Cache Invalidation",{"name":49},{"id":55,"name":56,"tactic":57},"D3-FEV","File Eviction",{"name":49},{"id":59,"name":60,"tactic":61},"D3-DUC","Decoy User Credential",{"name":62},"Deceive",{"id":64,"name":65,"tactic":66},"D3-DF","Decoy File",{"name":62},{"id":68,"name":69,"tactic":70},"D3-CH","Credential Hardening",{"name":71},"Harden",{"id":73,"name":74,"tactic":75},"D3-MFA","Multi-factor Authentication",{"name":71},{"id":77,"name":78,"tactic":79},"D3-CRO","Credential Rotation",{"name":71},{"id":81,"name":82,"tactic":83},"D3-FE","File Encryption",{"name":71},{"id":85,"name":86,"tactic":87},"D3-RIC","Reissue Credential",{"name":88},"Restore",{"id":90,"name":91,"tactic":92},"D3-RF","Restore File",{"name":88},{"id":94,"name":95,"tactic":96},"D3-CTS","Credential Transmission Scoping",{"name":97},"Isolate",{"id":99,"name":100,"tactic":101},"D3-CF","Content Filtering",{"name":97},{"id":103,"name":104,"tactic":105},"D3-LFP","Local File Permissions",{"name":97},{"id":107,"name":108,"tactic":109},"D3-RFAM","Remote File Access Mediation",{"name":97},{"id":111,"name":112,"tactic":113},"D3-CQ","Content Quarantine",{"name":97},{"id":115,"name":116,"tactic":117},"D3-CM","Content Modification",{"name":97},{"id":119,"name":120,"techniques":121},"CAPEC-70","Try Common or Default Usernames and Passwords",[122],{"id":123,"name":124,"tactics":125,"countermeasures":141},"T1078.001","Default Accounts",[126,129,132,135,138],{"id":127,"name":128},"TA0030","Defense Evasion",{"id":130,"name":131},"TA0005","Stealth",{"id":133,"name":134},"TA0110","Persistence",{"id":136,"name":137},"TA0111","Privilege Escalation",{"id":139,"name":140},"TA0108","Initial Access",[142,147,151,155,159,163,167],{"id":143,"name":144,"tactic":145},"D3-AM","Access Modeling",{"name":146},"Model",{"id":148,"name":149,"tactic":150},"D3-AL","Account Locking",{"name":49},{"id":152,"name":153,"tactic":154},"D3-AA","Agent Authentication",{"name":71},{"id":156,"name":157,"tactic":158},"D3-CDP","Change Default Password",{"name":71},{"id":160,"name":161,"tactic":162},"D3-ULA","Unlock Account",{"name":88},{"id":164,"name":165,"tactic":166},"D3-RUAA","Restore User Account Access",{"name":88},{"id":168,"name":169,"tactic":170},"D3-UAP","User Account Permissions",{"name":97},[],[],[],[],[],[],"2026-05-29T12:39:57.690Z","PUBLISHED",{"cisa_kev":180,"cisa_ransomware":180,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":181,"severity_score":182,"severity_version":183,"severity_source":184,"severity_vector":185,"severity_status":178},false,"critical",9.3,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",[187],{"url":188,"sources":189,"tags":190},"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx",[184],[191],"X Refsource CONFIRM",[],[],[195],{"source":184,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":196},{"baseScore":182,"baseSeverity":197,"vectorString":185,"impactScore":9,"exploitabilityScore":9},"CRITICAL",[199],{"ecosystem":9,"name":200,"vendor":201,"product":200,"cpe_part":202,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":203},"security-reporting","freepbx","a",[204,211],{"version":205,"is_range":206,"range_type":184,"version_start":207,"version_start_type":208,"version_end":209,"version_end_type":210,"fixed_in":9},">= 15.0.42, \u003C 16.0.45",true,"15.0.42","including","16.0.45","excluding",{"version":212,"is_range":206,"range_type":184,"version_start":213,"version_start_type":208,"version_end":214,"version_end_type":210,"fixed_in":9},">= 17.0.1, \u003C 17.0.7","17.0.1","17.0.7"]