{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23739", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.957Z", "datePublished": "2026-02-06T16:42:25.816Z", "dateUpdated": "2026-02-06T17:37:22.223Z"}, "containers": {"cna": {"title": "Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"version": "< 23.2.2", "status": "affected"}, {"version": "< 22.8.2", "status": "affected"}, {"version": "< 21.12.1", "status": "affected"}, {"version": "< 20.18.2", "status": "affected"}, {"version": "< 20.7-cert9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:42:25.816Z"}, "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "source": {"advisory": "GHSA-85x7-54wr-vh42", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T17:36:34.440710Z", "id": "CVE-2026-23739", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:37:22.223Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23739", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T17:36:34.440710Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:37:07.099Z"}}], "cna": {"title": "Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection", "source": {"advisory": "GHSA-85x7-54wr-vh42", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"status": "affected", "version": "< 23.2.2"}, {"status": "affected", "version": "< 22.8.2"}, {"status": "affected", "version": "< 21.12.1"}, {"status": "affected", "version": "< 20.18.2"}, {"status": "affected", "version": "< 20.7-cert9"}]}], "references": [{"url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42", "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:42:25.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23739", "state": "PUBLISHED", "dateUpdated": "2026-02-06T17:37:22.223Z", "dateReserved": "2026-01-15T15:45:01.957Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T16:42:25.816Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "46AC3571-DD52-4F3C-98D2-3BB915498D41", "versionEndExcluding": "20.18.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9CB7760-849C-42CB-BF9A-A3DB40F19447", "versionEndExcluding": "21.12.1", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "03AEEF8D-B546-4587-A236-63E2C41582FF", "versionEndExcluding": "22.8.2", "versionStartIncluding": "22.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "B036D768-9ADA-4965-A596-BEF60749C3CD", "versionEndExcluding": "23.2.2", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "44460225-C50D-414A-A2E0-F8280E1C1E1D", "versionEndIncluding": "18.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*", "matchCriteriaId": "79225576-AF7C-4099-9624-C53578A7417F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*", "matchCriteriaId": "29323E6E-12C9-46C7-B29C-25E0CD537A8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*", "matchCriteriaId": "8E563972-78C0-40A0-83EA-6A3BA3D71946", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*", "matchCriteriaId": "64209621-D458-432A-B0E3-C8D0B6698574", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*", "matchCriteriaId": "B148158A-8354-41C2-A44C-2C0DAABAD217", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*", "matchCriteriaId": "3D4D96E8-1F01-42B8-9181-67DEB12D9DD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*", "matchCriteriaId": "50D1B02A-F5F9-48EB-A396-412821F5D602", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*", "matchCriteriaId": "4CBB2891-448F-4C4E-8A47-2283A8F71FE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*", "matchCriteriaId": "A9AF30E9-FC50-4A5C-BC99-9B3394488B9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*", "matchCriteriaId": "1A41366F-EA16-4867-A198-ACFFE5AFEA9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "id": "CVE-2026-23739", "lastModified": "2026-02-18T18:42:37.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T17:16:26.147", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Asterisk: Asterisk: Local file disclosure via unsafe XML parsing", "id": "2437909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437909"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "details": ["Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.", "A flaw was found in Asterisk. The `ast_xml_open()` function in `xml.c` processes XML documents using `libxml` with unsafe parsing options, enabling entity expansion and XInclude processing. A remote attacker can exploit this by providing specially crafted XML input, leading to XML External Entity (XXE) or XInclude-based local file disclosure. This vulnerability could allow the attacker to expose sensitive files from the host system."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict the ability for untrusted users to provide XML input to the Asterisk service. Configure Asterisk to process XML only from trusted sources, or disable any features that accept external XML input if they are not critical for your environment."}, "name": "CVE-2026-23739", "public_date": "2026-02-06T16:42:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23739\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23739\nhttps://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"], "statement": "This vulnerability has a LOW impact on Red Hat products. Asterisk, as distributed in Community Projects (EPEL 8/9, Fedora), is affected by an XML External Entity (XXE) and XInclude processing flaw. If an attacker can provide untrusted XML input to Asterisk, it may lead to local file disclosure.", "threat_severity": "Low"}

{"created": "2026-02-09T10:50:35.581405+00:00", "updated": "2026-02-09T10:50:35.581440+00:00", "vendors": ["asterisk", "asterisk$PRODUCT$asterisk"]}