v1.6.1 — Security release (superseded by v1.6.2)
⚠️ Use v1.6.2 instead. v1.6.1'sinstall.phppolluted FreePBX's global$db, breaking the standardfwconsole ma install frogmanupgrade path with a SQL syntax error (UPDATE modules SET version=''1.6.1'' WHERE modulename=''frogman''). The migrations and security fixes themselves work correctly, but the FreePBX modules-table version-bump aborts and leaves the module inDisabled; Pending upgradestate, requiring manualmysql -e "UPDATE modules SET version=..."recovery.v1.6.2 contains all the same security fixes from v1.6.1 plus the install-path fix. It is a drop-in replacement. Install or upgrade to v1.6.2 directly — do not install v1.6.1 first.
The four security advisories below remain accurate; just install v1.6.2 to get the patches.
Security release. Patches four advisories disclosed via responsible disclosure on the FreePBX community forum on 2026-05-13:
- GHSA-pxfc-q72v-jh8m (Critical, CVSS 9.9) — dialplan template parameter injection in
fm_dialplan_apply - GHSA-9xf5-9ghq-p6cw (High, CVSS 7.4) — API tokens stored plaintext in
oc_api_tokens - GHSA-3p65-2prr-cfvf (Medium, CVSS 6.5) — plaintext credentials persisted to
oc_audit_log - GHSA-f5jv-9rh8-gq7c (Medium, CVSS 6.5) —
fm_update_extensionsilently wiped voicemail/Userman data
Upgrade notes
- Existing API tokens continue to authenticate without re-issuance. The install.php migration hashes existing rows in place; the raw value users have stored maps to the new prefixed-hash format.
- Historical
oc_audit_logscrub is irreversible. If you have compliance reasons to preserve the pre-patch audit log contents, back it up encrypted before upgrading. fm_audit_searchnow requires PERM_ADMIN. Read-tier API tokens that previously could query the audit log will be rejected. Re-issue with admin scope if needed.fm_dialplan_applynow validates template parameters strictly. Existing legitimate templates work unchanged; payloads with newlines, backticks, or${...}placeholders in URLs are rejected.
SECURITY.md was added at the repo root pointing at GitHub's private vulnerability report form for future disclosures.
Thanks to the FreePBX community member whose AI-assisted code review surfaced the originals.