CVE-2026-46512
Received Received - Intake

Frogman PBX Arbitrary Command Injection via Dialplan Template

Vulnerability report for CVE-2026-46512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
frogman fm_dialplan_apply 1.6.2
frogman frogman to 1.6.2 (exc)
frogman frogman From 1.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Frogman, a headless PBX control system, prior to version 1.6.2. It allows authenticated users with write permissions to inject arbitrary Asterisk dialplan commands by exploiting unsanitized template parameters like greeting, dest, url, extension, code, and file. The issue occurs because user input is directly written to extensions_custom.conf without proper validation, enabling commands such as System() or Set(SHELL(...)) to execute on the PBX host with root-equivalent privileges.

Detection Guidance

Check for unauthorized modifications in extensions_custom.conf by comparing it with known good versions or using integrity monitoring tools. Look for suspicious Asterisk directives like System(), Set(SHELL(...)), or Goto in dialplan templates. Review fm_dialplan_apply logs for failed validations or unexpected parameter values.

Impact Analysis

If exploited, this vulnerability allows an attacker with PERM_WRITE access to execute arbitrary system commands on the PBX host, potentially leading to full system compromise. This includes unauthorized access to sensitive data, disruption of PBX services, or further network infiltration. The attack requires network access and authenticated write permissions but no user interaction.

Compliance Impact

This vulnerability could severely impact compliance with GDPR and HIPAA by enabling unauthorized access to sensitive data (confidentiality breach) and potential data exfiltration or manipulation (integrity and availability breach). GDPR requires protecting personal data, while HIPAA mandates safeguarding protected health information. A successful exploit would violate these regulations, potentially resulting in legal penalties and reputational damage.

Mitigation Strategies

Upgrade Frogman to version 1.6.2 or later immediately. Restrict PERM_WRITE permissions to only trusted users. Manually review extensions_custom.conf for any injected malicious dialplan directives. Implement strict input validation for all template parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart