Platform
asterisk
Component
asterisk
Fixed in
23.2.3
22.8.3
21.12.2
20.18.3
20.7.1
CVE-2026-23738 describes a Cross-Site Scripting (XSS) vulnerability affecting Asterisk versions up to and including 23.2.2. This vulnerability allows attackers to inject malicious scripts into the Asterisk HTTP status page, potentially leading to session hijacking or defacement. The vulnerability stems from improper handling of user-controlled input in the /httpstatus endpoint, specifically Cookies and GET query parameters. A patch is available in version 23.2.3.
Successful exploitation of CVE-2026-23738 allows an attacker to inject arbitrary JavaScript code into the Asterisk HTTP status page. This can be leveraged to steal user session cookies, redirect users to malicious websites, or deface the page. The impact is amplified if the Asterisk server is publicly accessible or integrated with other systems, as the attacker could potentially gain access to sensitive data or compromise the entire network. While the CVSS score is LOW, the ease of exploitation and potential for lateral movement make this a significant concern, particularly in environments with limited security controls.
CVE-2026-23738 was publicly disclosed on 2026-02-06. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. This vulnerability does not appear to be listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23738 is to upgrade Asterisk to version 23.2.3 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious input in Cookies and GET parameters targeting the /httpstatus endpoint. Input validation on the server-side can also help prevent the injection of malicious scripts. Regularly review Asterisk configuration to ensure the /httpstatus endpoint is not publicly accessible if not required.
Update Asterisk to version 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2, or a later version. This will correct the Cross-Site Scripting (XSS) vulnerability on the /httpstatus page of the embedded web server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23738 is a Cross-Site Scripting (XSS) vulnerability in Asterisk versions up to 23.2.2, allowing attackers to inject malicious scripts via the /httpstatus endpoint.
You are affected if you are running Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 or earlier. Upgrade to 23.2.3 or later to mitigate the risk.
Upgrade Asterisk to version 23.2.3 or later. As a temporary workaround, implement a WAF rule to filter malicious input on the /httpstatus endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Asterisk security advisory for details: [https://www.asterisk.org/security-advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.