CVE-2026-9588
Sangoma · Switchvox SMB Edition
A stored cross-site scripting (XSS) vulnerability in Sangoma Switchvox SMB Edition allows authenticated users to inject malicious scripts into the web interface.
Executive summary
A stored cross-site scripting vulnerability in Sangoma Switchvox SMB Edition allows authenticated attackers to execute malicious scripts, potentially compromising administrative sessions.
Vulnerability
The application is susceptible to stored cross-site scripting (CWE-79) due to improper neutralization of user-supplied input. This vulnerability can be exploited by an authenticated attacker who provides malicious input that is subsequently stored and executed in the browser of another user, such as an administrator.
Business impact
Successful exploitation may allow an attacker to hijack user sessions, perform unauthorized actions on behalf of other users, or steal sensitive session cookies. Given the CVSS score of 7.0, this vulnerability presents a significant risk to the security of the management console, potentially leading to full administrative compromise if an administrator interacts with the malicious payload.
Remediation
Immediate Action: Upgrade Sangoma Switchvox SMB Edition to version 8.4.0.2 or later as specified in the vendor release notes.
Proactive Monitoring: Monitor the application for unexpected script execution or unusual entries within fields that accept user input, as these may indicate attempted XSS injection.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured with rules to detect and block common XSS payloads directed at the Switchvox web interface.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the persistent nature of stored XSS, this vulnerability poses an ongoing threat to all users of the Switchvox web interface. Organizations must prioritize upgrading to version 8.4.0.2 to ensure that input sanitization is correctly implemented and to secure the management environment against potential session-based attacks.