Asterisk

This hub aggregates every CVE we track for Asterisk, a product in the communications space. Use it to gauge the current risk picture and drill into individual advisories.

Communicationson-premweb app

160

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM85HIGH56CRITICAL11LOW8

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Asterisk.

CVE-2026-23739Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection2.0Feb 6, 2026
CVE-2026-23738The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization3.5Feb 6, 2026
CVE-2025-1131Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation7.8Sep 23, 2025
CVE-2025-57767Asterisk can crash from a specifically malformed Authorization header in an incoming SIP request7.5Aug 28, 2025
CVE-2025-54995Asterisk remotely exploitable leak of RTP UDP ports and internal resources6.5Aug 28, 2025
CVE-2025-49832Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation6.5Aug 1, 2025
CVE-2025-47780cli_permissions.conf: deny option does not work for disallowing shell commands7.8May 22, 2025
CVE-2025-47779Using malformed From header can forge identity with ";" or NULL in name portion7.7May 22, 2025
CVE-2024-57520Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact...9.8Feb 5, 2025
CVE-2024-53566An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.5.5Dec 2, 2024
CVE-2024-42491A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used5.7Sep 5, 2024
CVE-2024-42365Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan7.4Aug 8, 2024
CVE-2024-35190Asterisk' res_pjsip_endpoint_identifier_ip: wrongly matches ALL unauthorized SIP requests5.8May 17, 2024
CVE-2023-49786Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation7.5Dec 14, 2023
CVE-2023-37457Asterisk's PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'7.5Dec 14, 2023

Product normalization is registry-driven with AI assist and human review. How it works