CVE-2026-23738
Unknown Unknown - Not Provided
Cross-Site Scripting in Asterisk HTTP /httpstatus Endpoint

Publication date: 2026-02-06

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23738
EUVD
EUVD-2026-5645
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk to 18.9 (inc)
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma asterisk From 23.0.0 (inc) to 23.2.2 (exc)
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma asterisk From 21.0.0 (inc) to 21.12.1 (inc)
sangoma asterisk From 22.0.0 (inc) to 22.8.2 (inc)
sangoma asterisk to 20.18.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade Asterisk to a patched version where this vulnerability is fixed.

  • Upgrade to one of the following versions or later: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2.

Until the upgrade can be applied, consider restricting access to the /httpstatus endpoint to trusted users only, for example by network segmentation or firewall rules, to reduce exposure.

Additionally, monitor and filter suspicious HTTP requests that attempt to inject scripts via query parameters or cookies.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23738 is a Cross-Site Scripting (XSS) vulnerability found in the Asterisk embedded web server, specifically on the /httpstatus page.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because user-supplied values from Cookies and GET query string parameters are directly inserted into the HTML output of the page without any sanitization or encoding.'}, {'type': 'paragraph', 'content': "This means an attacker can inject malicious scripts into the page by manipulating these inputs, which are then executed in the context of the user's browser."}, {'type': 'paragraph', 'content': 'The issue affects versions of Asterisk prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, where it has been patched.'}] [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of users who visit the vulnerable /httpstatus page.

Potential impacts include theft of credentials or tokens, and enabling further attacks such as Cross-Site Request Forgery (CSRF).

Because the attack requires user interaction (the user must visit the maliciously crafted page), the risk is somewhat limited but still significant.

The CVSS score is 3.5 (Low severity), indicating limited confidentiality impact and no impact on integrity or availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /httpstatus endpoint of the Asterisk embedded web server for reflected Cross-Site Scripting (XSS). Specifically, you can send HTTP GET requests with crafted query parameters or cookies containing script payloads and observe if these values are reflected unsanitized in the HTML response.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send requests with script tags in query parameters, for example: curl -i "http://<asterisk-server>/httpstatus?p=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'Check the HTTP response for the presence of the injected script tags or payloads in the HTML content.'}, {'type': 'list_item', 'content': 'Similarly, send requests with cookies containing script payloads and verify if they are reflected in the response.'}, {'type': 'paragraph', 'content': 'Detection involves confirming that user-supplied values from Cookies and GET parameters are directly echoed without sanitization, indicating the presence of the vulnerability.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart