CVE-2026-9588

Sangoma · Switchvox SMB Edition

A stored cross-site scripting (XSS) vulnerability in Sangoma Switchvox SMB Edition allows authenticated users to inject malicious scripts into the web interface.

Executive summary

A stored cross-site scripting vulnerability in Sangoma Switchvox SMB Edition allows authenticated attackers to execute malicious scripts, potentially compromising administrative sessions.

Vulnerability

The application is susceptible to stored cross-site scripting (CWE-79) due to improper neutralization of user-supplied input. This vulnerability can be exploited by an authenticated attacker who provides malicious input that is subsequently stored and executed in the browser of another user, such as an administrator.

Business impact

Successful exploitation may allow an attacker to hijack user sessions, perform unauthorized actions on behalf of other users, or steal sensitive session cookies. Given the CVSS score of 7.0, this vulnerability presents a significant risk to the security of the management console, potentially leading to full administrative compromise if an administrator interacts with the malicious payload.

Remediation

Immediate Action: Upgrade Sangoma Switchvox SMB Edition to version 8.4.0.2 or later as specified in the vendor release notes.

Proactive Monitoring: Monitor the application for unexpected script execution or unusual entries within fields that accept user input, as these may indicate attempted XSS injection.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured with rules to detect and block common XSS payloads directed at the Switchvox web interface.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the persistent nature of stored XSS, this vulnerability poses an ongoing threat to all users of the Switchvox web interface. Organizations must prioritize upgrading to version 8.4.0.2 to ensure that input sanitization is correctly implemented and to secure the management environment against potential session-based attacks.