Cross-Site Scripting Vulnerability in Asterisk Telephony Toolkit
CVE-2026-23738

3.5LOW

Key Information:

Vendor: Asterisk
Status: Asterisk
Vendor: CVE Published:; 6 February 2026

What is CVE-2026-23738?

The Asterisk Telephony Toolkit has a cross-site scripting vulnerability due to user-supplied values for Cookies and GET query parameters being directly inserted into the HTML of pages. This flaw affects endpoints like GET /httpstatus and could allow attackers to inject malicious scripts into web pages viewed by other users. The issue has been rectified in several versions of Asterisk.

Affected Version(s)

asterisk < 23.2.2 < 23.2.2

asterisk < 22.8.2 < 22.8.2

asterisk < 21.12.1 < 21.12.1

References

https://github.com/asterisk/asterisk/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Jan 15, 2026

CVE-2026-23738 Data

JSON