{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23738", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.957Z", "datePublished": "2026-02-06T16:41:43.769Z", "dateUpdated": "2026-02-06T17:44:20.480Z"}, "containers": {"cna": {"title": "The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh"}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"version": "< 23.2.2", "status": "affected"}, {"version": "< 22.8.2", "status": "affected"}, {"version": "< 21.12.1", "status": "affected"}, {"version": "< 20.18.2", "status": "affected"}, {"version": "< 20.7-cert9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:41:43.769Z"}, "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "source": {"advisory": "GHSA-v6hp-wh3r-cwxh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T17:43:40.418371Z", "id": "CVE-2026-23738", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:44:20.480Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23738", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T17:43:40.418371Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:44:13.843Z"}}], "cna": {"title": "The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization", "source": {"advisory": "GHSA-v6hp-wh3r-cwxh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"status": "affected", "version": "< 23.2.2"}, {"status": "affected", "version": "< 22.8.2"}, {"status": "affected", "version": "< 21.12.1"}, {"status": "affected", "version": "< 20.18.2"}, {"status": "affected", "version": "< 20.7-cert9"}]}], "references": [{"url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh", "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:41:43.769Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23738", "state": "PUBLISHED", "dateUpdated": "2026-02-06T17:44:20.480Z", "dateReserved": "2026-01-15T15:45:01.957Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T16:41:43.769Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "55FE60C1-D6E7-40DE-A1E3-C37A8ED13BAA", "versionEndIncluding": "20.18.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "842D5FCD-E7A1-45AF-BC46-7C6CB03AE88E", "versionEndIncluding": "21.12.1", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "F12BA0F4-535F-409E-B2AB-84B703707055", "versionEndIncluding": "22.8.2", "versionStartIncluding": "22.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "B036D768-9ADA-4965-A596-BEF60749C3CD", "versionEndExcluding": "23.2.2", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "44460225-C50D-414A-A2E0-F8280E1C1E1D", "versionEndIncluding": "18.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*", "matchCriteriaId": "79225576-AF7C-4099-9624-C53578A7417F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*", "matchCriteriaId": "29323E6E-12C9-46C7-B29C-25E0CD537A8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*", "matchCriteriaId": "8E563972-78C0-40A0-83EA-6A3BA3D71946", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*", "matchCriteriaId": "64209621-D458-432A-B0E3-C8D0B6698574", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*", "matchCriteriaId": "B148158A-8354-41C2-A44C-2C0DAABAD217", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*", "matchCriteriaId": "3D4D96E8-1F01-42B8-9181-67DEB12D9DD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*", "matchCriteriaId": "50D1B02A-F5F9-48EB-A396-412821F5D602", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*", "matchCriteriaId": "4CBB2891-448F-4C4E-8A47-2283A8F71FE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*", "matchCriteriaId": "A9AF30E9-FC50-4A5C-BC99-9B3394488B9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*", "matchCriteriaId": "1A41366F-EA16-4867-A198-ACFFE5AFEA9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "id": "CVE-2026-23738", "lastModified": "2026-02-18T18:42:48.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T17:16:26.000", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:41:20.893068+00:00", "value": {"mitigation_remediation": ["Upgrade Asterisk to any fixed version (20.7\u2011cert9 or later for certified releases, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 for the open\u2011source edition).", "If an upgrade is not immediately possible, restrict external network access to the embedded web server or block the \"/httpstatus\" endpoint using firewall or host\u2011based access controls so that only trusted local systems can reach it.", "Consider disabling the embedded web server entirely or limiting its authentication mechanisms if it is not required for your deployment, thereby reducing the attack surface that can deliver client\u2011side code."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Asterisk, the open source telephony toolkit. Vendor Sangoma distributes both the community edition and certified releases. All versions prior to 20.7\u2011cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 contain the flaw. Those fixed releases contain sanitization logic to prevent the injection of uncontrolled content into the /httpstatus page.", "description_and_impact": "Asterisk exposes a flaw in its embedded web interface at the \"/httpstatus\" endpoint where values supplied via cookies and GET query parameters are written directly into the returned HTML page using the unsafe ast_str_append function. Because no sanitization or escaping is performed, an attacker can inject arbitrary HTML or JavaScript that will execute in the victim's browser when the page is viewed. This client\u2011side code execution can lead to session hijacking, credential theft, or further compromise of the web server, making it a classic XSS vulnerability. The impact is limited to the browser context of users who load the page; it does not provide direct remote code execution or access to the underlying Asterisk instance.", "risk_and_exploitability": "The CVSS score of 3.5 indicates low overall severity, and the EPSS score of less than 1\u202f% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA Known Exploited Vulnerability catalog. Attackers would need to send a crafted URL or cookie to a user who accesses the /httpstatus page, which is typically not exposed publicly. If the embedded web server is reachable over the internet, the risk rises because any authenticated or unauthenticated user could be forced to load the page and thus be subject to XSS. The primary resolution therefore is to update the software so that input values are properly escaped before rendering."}}}}, "created": "2026-02-09T10:50:42.644160+00:00", "updated": "2026-04-17T22:45:29.939370+00:00", "vendors": ["asterisk", "asterisk$PRODUCT$asterisk"]}