app/callcenters/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission callcenterqueueadd or callcenterqueue_edit) to execute any commands on the host as www-data.