There were two CVEs addressed on September 15th – both in the “framework” module. The fixed “framework” modules started shipping from the FreePBX mirrors at appx. 2025-09-15T07:40:00Z. The CVEs were publicly published on GitHub about 12 hours later.
The post-Authentication command injection issue in “framework” GHSA-xg83-m6q5-q24h CVE-2025-55211 was opened in May. This only affected some recent versions of FreePBX 17 (installed over the past year.)
The Unauthenticated denial of service issue in “framework” GHSA-frc2-jhgg-rwpr CVE-2025-59056 – previously linked in OP – was opened last week. This affected all previous releases of all three supported versions of FreePBX: 15, 16 and 17. As previously mentioned in the advisory on GitHub, the issue is likely eleven years old (or more) owing to this line of code (also linked in the “History” section of the GHSA):
this is an interesting idea, thank you – one might consider further research into an unrelated project where this is being discussed & changed a lot recently e.g. Android Open Source Project (AOSP) and their Android Security Bulletins (ASB) pivot over the past few months to focus on high-risk issues for advance notification to vendors.