cbcvebase.
CVE-2026-23738
published 2026-02-06

CVE-2026-23738: Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user…

PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.6th percentile
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Affected

13 ranges
VendorProductVersion rangeFixed in
asteriskasterisk< 23.2.223.2.2
asteriskasterisk< 22.8.222.8.2
asteriskasterisk< 21.12.121.12.1
asteriskasterisk< 20.18.220.18.2
asteriskasterisk< 20.7-cert920.7-cert9
asteriskasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u91:16.28.0~dfsg-0+deb11u9
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u9 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u9 (bullseye)
sangomaasterisk<= 20.18.2
sangomaasterisk21.0.0 – 21.12.1
sangomaasterisk22.0.0 – 22.8.2
sangomaasterisk>= 23.0.0 < 23.2.223.2.2
sangomacertified_asterisk<= 18.9
sangomacertified_asterisk

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.