๐Ÿ” CVE Alert

CVE-2026-46512

CRITICAL 9.9

Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping

CVSS Score
9.9
EPSS Score
0.0%
EPSS Percentile
0th

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.

CWE CWE-94
Vendor mwtcmi
Product frogman
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for mwtcmi frogman

Be the first to know when new critical vulnerabilities affecting mwtcmi frogman are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

mwtcmi / frogman
< 1.6.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/mwtcmi/frogman/security/advisories/GHSA-pxfc-q72v-jh8m github.com: https://github.com/mwtcmi/frogman/commit/36a05ffa2df1d256b6f6f7c3b66ef77ebe3e458a github.com: https://github.com/mwtcmi/frogman/releases/tag/v1.6.1 github.com: https://github.com/mwtcmi/frogman/releases/tag/v1.6.2