XML Parsing Vulnerability in Asterisk Telephony Toolkit
CVE-2026-23739

2LOW

Key Information:

Vendor: Asterisk
Status: Asterisk
Vendor: CVE Published:; 6 February 2026

What is CVE-2026-23739?

The Asterisk Telephony Toolkit is affected by an XML parsing vulnerability that can lead to XML External Entity (XXE) attacks. This occurs due to the ast_xml_open() function in xml.c which incorrectly parses XML documents using libxml with unsafe options. When an attacker supplies a malicious XML file, it can enable local file disclosure on the host system. The vulnerability has been addressed in several patched versions, ensuring better security against entity expansion and XInclude processing.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

asterisk < 23.2.2 < 23.2.2

asterisk < 22.8.2 < 22.8.2

asterisk < 21.12.1 < 21.12.1

References

https://github.com/asterisk/asterisk/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Jan 15, 2026

JSON

Asterisk