Sign-up

ID

VAR-202602-1863


CVE

CVE-2026-23738


DESCRIPTION

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Trust: 1.0

sources: NVD: CVE-2026-23738

AFFECTED PRODUCTS

vendor:sangomamodel:asteriskscope:lteversion:20.18.2

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:23.2.2

Trust: 1.0

vendor:sangomamodel:certified asteriskscope:lteversion:18.9

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:21.0.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:lteversion:22.8.2

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:23.0.0

Trust: 1.0

vendor:sangomamodel:certified asteriskscope:eqversion:20.7

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:22.0.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:lteversion:21.12.1

Trust: 1.0

sources: NVD: CVE-2026-23738

CVSS

SEVERITY

CVSSV2

CVSSV3

security-advisories@github.com: CVE-2026-23738
value: LOW

Trust: 1.0

nvd@nist.gov: CVE-2026-23738
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2026-23738
baseSeverity: LOW
baseScore: 3.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 1.4
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2026-23738
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: NVD: CVE-2026-23738 // NVD: CVE-2026-23738

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

sources: NVD: CVE-2026-23738

EXTERNAL IDS

db:NVDid:CVE-2026-23738

Trust: 1.0

sources: NVD: CVE-2026-23738

REFERENCES

url:https://github.com/asterisk/asterisk/security/advisories/ghsa-v6hp-wh3r-cwxh

Trust: 1.0

sources: NVD: CVE-2026-23738

SOURCES

db:NVDid:CVE-2026-23738

LAST UPDATE DATE

2026-02-19T23:25:36.942000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2026-23738date:2026-02-18T18:42:48.877

SOURCES RELEASE DATE

db:NVDid:CVE-2026-23738date:2026-02-06T17:16:26