CVE-2026-9585

Sangoma · Switchvox SMB Edition

A reflected cross-site scripting (XSS) vulnerability exists in Sangoma Switchvox SMB Edition version 8, allowing for unauthorized script execution.

Executive summary

An unauthenticated reflected cross-site scripting vulnerability in Sangoma Switchvox SMB Edition exposes users to potential session theft and unauthorized actions.

Vulnerability

This is a reflected cross-site scripting (XSS) vulnerability (CWE-79) where input is not properly neutralized during web page generation. An unauthenticated attacker can trick a user into executing malicious scripts within their browser session.

Business impact

Reflected XSS can be used to hijack user sessions, capture sensitive data, or perform actions on behalf of the user within the Switchvox interface. With a CVSS score of 8.6, this vulnerability poses a high risk to organizational security, particularly if administrative users are targeted, potentially leading to full control over the PBX system.

Remediation

Immediate Action: Update Sangoma Switchvox SMB Edition to version 8.4.0.2 or later as specified in the vendor release notes.

Proactive Monitoring: Review access logs for suspicious URL patterns containing embedded script tags or anomalous redirect activity.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter out malicious payloads from incoming HTTP requests and enforce strong Content Security Policy (CSP) headers.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

The update to version 8.4.0.2 should be applied immediately to mitigate the risk of reflected XSS attacks. Administrators should ensure that the patch is verified against the vendor release notes to confirm the vulnerability has been addressed in their specific environment.