Certified asterisk

This hub aggregates every CVE we track for Certified asterisk, a product in the communications space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Certified asterisk.

• CVE-2026-23739Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection2.0Feb 6, 2026
• CVE-2026-23738The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization3.5Feb 6, 2026
• CVE-2025-1131Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation7.8Sep 23, 2025
• CVE-2025-54995Asterisk remotely exploitable leak of RTP UDP ports and internal resources6.5Aug 28, 2025
• CVE-2025-49832Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation6.5Aug 1, 2025
• CVE-2025-47780cli_permissions.conf: deny option does not work for disallowing shell commands7.8May 22, 2025
• CVE-2025-47779Using malformed From header can forge identity with ";" or NULL in name portion7.7May 22, 2025
• CVE-2024-42491A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used5.7Sep 5, 2024
• CVE-2024-42365Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan7.4Aug 8, 2024
• CVE-2023-49786Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation7.5Dec 14, 2023
• CVE-2023-37457Asterisk's PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'7.5Dec 14, 2023
• CVE-2023-49294Asterisk Path Traversal vulnerability4.9Dec 14, 2023
• CVE-2022-42706An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected ...4.9Dec 5, 2022
• CVE-2022-42705A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing...6.5Dec 5, 2022
• CVE-2021-46837res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=im...6.5Aug 30, 2022