Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1060958?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "type": "deb", "namespace": "debian", "name": "asterisk", "version": "1:22.9.0+dfsg+~cs6.16.60671434-1", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64676?format=api", "vulnerability_id": "VCID-1qxc-4xk5-2feu", "summary": "Asterisk: Asterisk: Arbitrary code execution and file overwrite as root via insecure ast_coredumper file handling", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23740.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23740.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23740", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.025", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02517", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02512", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02514", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02538", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02516", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02504", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02503", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03531", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03544", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0367", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23740" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23740", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23740" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438", "reference_id": "1127438", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437723", "reference_id": "2437723", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437723" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c", "reference_id": "GHSA-xpc6-x892-v83c", "reference_type": "", "scores": [ { "value": "0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N" }, { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-06T19:11:52Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2026-23740" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "7.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1qxc-4xk5-2feu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96720?format=api", "vulnerability_id": "VCID-2qjc-yspn-xydj", "summary": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47780", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00454", "scoring_system": "epss", "scoring_elements": "0.63818", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68839", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68859", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68869", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.6879", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68768", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.6882", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.6877", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68862", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68847", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00577", "scoring_system": "epss", "scoring_elements": "0.68818", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47780" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47780", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47780" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106530", "reference_id": "1106530", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106530" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2", "reference_id": "GHSA-c7p6-7mvq-8jq2", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T17:24:44Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2025-47780" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2qjc-yspn-xydj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56274?format=api", "vulnerability_id": "VCID-43ff-97jw-hkce", "summary": "Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1131", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14083", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.13936", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.1384", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.13834", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14137", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.13943", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14025", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14078", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14023", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.13986", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16034", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1131" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1131", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1131" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp", "reference_id": "GHSA-v9q8-9j8m-5xwp", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/V:C/RE:H/U:Amber" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-24T03:55:15Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp" }, { "reference_url": "https://security.gentoo.org/glsa/202601-04", "reference_id": "GLSA-202601-04", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202601-04" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2025-1131" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-43ff-97jw-hkce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96800?format=api", "vulnerability_id": "VCID-63fe-saga-13ct", "summary": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54995", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76862", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76927", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76935", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.7693", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76889", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76894", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76914", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76886", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76876", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00991", "scoring_system": "epss", "scoring_elements": "0.76844", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01038", "scoring_system": "epss", "scoring_elements": "0.77363", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54995" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54995", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54995" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/0278f5bde14565c6838a6ec39bc21aee0cde56a9", "reference_id": "0278f5bde14565c6838a6ec39bc21aee0cde56a9", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:53:35Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/0278f5bde14565c6838a6ec39bc21aee0cde56a9" }, { "reference_url": "https://github.com/asterisk/asterisk/pull/1405", "reference_id": "1405", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:53:35Z/" } ], "url": "https://github.com/asterisk/asterisk/pull/1405" }, { "reference_url": "https://github.com/asterisk/asterisk/pull/1406", "reference_id": "1406", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:53:35Z/" } ], "url": "https://github.com/asterisk/asterisk/pull/1406" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/eafcd7a451dcd007dddf324ac37dd55a4808338d", "reference_id": "eafcd7a451dcd007dddf324ac37dd55a4808338d", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:53:35Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/eafcd7a451dcd007dddf324ac37dd55a4808338d" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2", "reference_id": "GHSA-557q-795j-wfx2", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-28T18:53:35Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2025-54995" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-63fe-saga-13ct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64677?format=api", "vulnerability_id": "VCID-8kjy-xtm2-bqan", "summary": "Asterisk: Asterisk: Local file disclosure via unsafe XML parsing", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23739.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23739.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23739", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14927", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14948", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14808", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14898", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14913", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14875", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.14816", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15004", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17345", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17353", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17385", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23739" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23739", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23739" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438", "reference_id": "1127438", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437909", "reference_id": "2437909", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437909" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42", "reference_id": "GHSA-85x7-54wr-vh42", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T17:36:34Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2026-23739" ], "risk_score": 0.9, "exploitability": "0.5", "weighted_severity": "1.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8kjy-xtm2-bqan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96182?format=api", "vulnerability_id": "VCID-9u4p-wdky-a3h1", "summary": "Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42365", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96795", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96825", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96822", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96819", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96812", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.9681", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96809", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96801", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.3195", "scoring_system": "epss", "scoring_elements": "0.96796", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42365" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42365", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42365" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078574", "reference_id": "1078574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078574" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4", "reference_id": "42a2f4ccfa2c7062a15063e765916b3332e34cc4", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8", "reference_id": "7a0090325bfa9d778a39ae5f7d0a98109e4651c8", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71", "reference_id": "b4063bf756272254b160b6d1bd6e9a3f8e16cc71", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993", "reference_id": "bbe68db10ab8a80c29db383e4dfe14f6eafaf993", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2", "reference_id": "faddd99f2b9408b524e5eb8a01589fe1fa282df2", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44", "reference_id": "GHSA-c4cg-9275-6w44", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44" }, { "reference_url": "https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426", "reference_id": "manager.c#L6426", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426" }, { "reference_url": "https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426", "reference_id": "manager.c#L6426", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T16:38:45Z/" } ], "url": "https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2024-42365" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9u4p-wdky-a3h1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96268?format=api", "vulnerability_id": "VCID-gy3u-c6dc-sbbn", "summary": "An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53566", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15447", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1553", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15466", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15391", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15396", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15594", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15662", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15461", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15548", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15603", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15567", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53566" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53566", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53566" }, { "reference_url": "https://gist.github.com/hyp164D1/e7c0f44ffb38c00320aa1a6d98bee616", "reference_id": "e7c0f44ffb38c00320aa1a6d98bee616", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T17:37:51Z/" } ], "url": "https://gist.github.com/hyp164D1/e7c0f44ffb38c00320aa1a6d98bee616" }, { "reference_url": "https://github.com/asterisk/asterisk/blob/22/main/manager.c#L2556", "reference_id": "manager.c#L2556", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T17:37:51Z/" } ], "url": "https://github.com/asterisk/asterisk/blob/22/main/manager.c#L2556" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2024-53566" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gy3u-c6dc-sbbn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97012?format=api", "vulnerability_id": "VCID-phb4-xaj7-byg2", "summary": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23741", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.1028", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10319", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10381", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10412", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10373", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10351", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10347", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10245", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1235", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12246", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12244", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23741" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23741", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23741" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438", "reference_id": "1127438", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3", "reference_id": "GHSA-rvch-3jmx-3jf3", "reference_type": "", "scores": [ { "value": "0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T17:22:49Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2026-23741" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-phb4-xaj7-byg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96183?format=api", "vulnerability_id": "VCID-qcqe-63ev-f7gv", "summary": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42491", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.7658", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76572", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76584", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76484", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76513", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76496", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76528", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76539", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76565", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00963", "scoring_system": "epss", "scoring_elements": "0.76545", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42491" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42491", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42491" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4", "reference_id": "42a2f4ccfa2c7062a15063e765916b3332e34cc4", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T18:48:24Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742", "reference_id": "4f01669c7c41c9184f3cce9a3cf1b2ebf6201742", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T18:48:24Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2", "reference_id": "50bf8d4d3064930d28ecf1ce3397b14574d514d2", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T18:48:24Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8", "reference_id": "7a0090325bfa9d778a39ae5f7d0a98109e4651c8", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T18:48:24Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8" }, { "reference_url": "https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0", "reference_id": "a15050650abf09c10a3c135fab148220cd41d3a0", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T18:48:24Z/" } ], "url": "https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9", "reference_id": "GHSA-v428-g3cw-7hv9", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T18:48:24Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2024-42491" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qcqe-63ev-f7gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96325?format=api", "vulnerability_id": "VCID-r54j-ydjm-4uca", "summary": "Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-57520", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87647", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87641", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87636", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87634", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87649", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87588", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87601", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87604", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.87624", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.03515", "scoring_system": "epss", "scoring_elements": "0.8763", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-57520" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57520", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57520" }, { "reference_url": "https://github.com/asterisk/asterisk/issues/1122", "reference_id": "1122", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T15:16:16Z/" } ], "url": "https://github.com/asterisk/asterisk/issues/1122" }, { "reference_url": "https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621", "reference_id": "ae76ab25acfbe263b2ed7b24b6e5c621", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T15:16:16Z/" } ], "url": "https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2024-57520" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r54j-ydjm-4uca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96719?format=api", "vulnerability_id": "VCID-u91b-9huy-43hn", "summary": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47779", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51354", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51324", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51367", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51374", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51279", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51304", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51264", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51319", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51316", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51359", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00279", "scoring_system": "epss", "scoring_elements": "0.51338", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47779" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47779", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47779" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106528", "reference_id": "1106528", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106528" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw", "reference_id": "GHSA-2grh-7mhv-fcfw", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-22T17:25:58Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw" }, { "reference_url": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample", "reference_id": "pjsip.conf.sample", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-22T17:25:58Z/" } ], "url": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2025-47779" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u91b-9huy-43hn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97011?format=api", "vulnerability_id": "VCID-ytty-tbs1-ffc7", "summary": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23738", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13683", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13627", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13678", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13648", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13611", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13564", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13745", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13546", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15877", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15817", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15831", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23738" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23738", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23738" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438", "reference_id": "1127438", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438" }, { "reference_url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh", "reference_id": "GHSA-v6hp-wh3r-cwxh", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T17:43:40Z/" } ], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/585943?format=api", "purl": "pkg:deb/debian/asterisk@1:22.8.2%2Bdfsg%2B~cs6.15.60671435-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.8.2%252Bdfsg%252B~cs6.15.60671435-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1060958?format=api", "purl": "pkg:deb/debian/asterisk@1:22.9.0%2Bdfsg%2B~cs6.16.60671434-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" } ], "aliases": [ "CVE-2026-23738" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ytty-tbs1-ffc7" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:22.9.0%252Bdfsg%252B~cs6.16.60671434-1" }