Improper Encoding or Escaping of Output in freeswitch - CVE-2026-49472
Published: June 4, 2026
Vulnerability identifier: #VU133320
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-49472
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: www.freeswitch.org
Affected software:
freeswitch
freeswitch
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to memory corruption in PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c when parsing XML input. A remote user can send specially crafted XML data to cause a denial of service.
The affected function was cloned from an outdated libexpat codebase and may be exploitable in a manner similar to the original upstream issue.
How to mitigate CVE-2026-49472
Install security update from vendor's website.