Aggregates CVE and security vulnerability intelligence across all xorcom-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-30006 | Xorcom CompletePBX is vulnerable to a reflected cross-site scripting (XSS) in the administrative control panel. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | [email protected] | 6.1 | 0.27% | 2025-03-31 | 2025-09-24 |
| CVE-2025-30005 | Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | [email protected] | 8.3 | 70.19% | 2025-03-31 | 2025-12-27 |
| CVE-2025-30004 | Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35 | [email protected] | 8.8 | 70.58% | 2025-03-31 | 2025-12-27 |
| CVE-2025-2292 | Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35. | [email protected] | 6.5 | 52.80% | 2025-03-31 | 2025-12-27 |