CVE-2026-46512
Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping
CVSS Score
9.9
EPSS Score
0.0%
EPSS Percentile
0th
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.
| CWE | CWE-94 |
| Vendor | mwtcmi |
| Product | frogman |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for mwtcmi frogman
Be the first to know when new critical vulnerabilities affecting mwtcmi frogman are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
mwtcmi / frogman
< 1.6.2
References
github.com: https://github.com/mwtcmi/frogman/security/advisories/GHSA-pxfc-q72v-jh8m github.com: https://github.com/mwtcmi/frogman/commit/36a05ffa2df1d256b6f6f7c3b66ef77ebe3e458a github.com: https://github.com/mwtcmi/frogman/releases/tag/v1.6.1 github.com: https://github.com/mwtcmi/frogman/releases/tag/v1.6.2