Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for frogman by mwtcmi

    CVE-2026-46515 (GCVE-0-2026-46515)

    Vulnerability from nvd – Published: 2026-07-16 18:17 – Updated: 2026-07-16 18:29
    VLAI
    Title
    Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46515",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T18:29:22.501446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T18:29:28.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:17:14.563Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-q4c4-5cr4-8q47",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-q4c4-5cr4-8q47"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/issues/13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/issues/13"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/issues/25",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/issues/25"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/55ea257d5c24bc01c814a607faa7e76e86b111ec",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/55ea257d5c24bc01c814a607faa7e76e86b111ec"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/b8a8bfc12b564bcb77caef952873b9ffd4a98b00",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/b8a8bfc12b564bcb77caef952873b9ffd4a98b00"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.3"
            }
          ],
          "source": {
            "advisory": "GHSA-q4c4-5cr4-8q47",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46515",
        "datePublished": "2026-07-16T18:17:14.563Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-16T18:29:28.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46514 (GCVE-0-2026-46514)

    Vulnerability from nvd – Published: 2026-07-16 18:11 – Updated: 2026-07-16 18:40
    VLAI
    Title
    Frogman: Plaintext passwords and secrets persisted to audit log
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_reset_password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm_add_extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc_audit_log.detail, allowing any PERM_READ caller with access to fm_audit_search to recover the stored credentials. This issue is fixed in version 1.6.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T18:40:48.863863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T18:40:59.789Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_reset_password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm_add_extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc_audit_log.detail, allowing any PERM_READ caller with access to fm_audit_search to recover the stored credentials. This issue is fixed in version 1.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:11:11.738Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-3p65-2prr-cfvf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-3p65-2prr-cfvf"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/02203edb613774f265ad8a21d99c4f6cf7de0d4d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/02203edb613774f265ad8a21d99c4f6cf7de0d4d"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2"
            }
          ],
          "source": {
            "advisory": "GHSA-3p65-2prr-cfvf",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: Plaintext passwords and secrets persisted to audit log"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46514",
        "datePublished": "2026-07-16T18:11:11.738Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-16T18:40:59.789Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46513 (GCVE-0-2026-46513)

    Vulnerability from nvd – Published: 2026-07-16 18:14 – Updated: 2026-07-17 13:58
    VLAI
    Title
    Frogman: API tokens stored in plaintext
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(random_bytes(32)) strings in oc_api_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-256 - Plaintext Storage of a Password
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T13:58:25.901633Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T13:58:34.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(random_bytes(32)) strings in oc_api_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-256",
                  "description": "CWE-256: Plaintext Storage of a Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:14:05.454Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-9xf5-9ghq-p6cw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-9xf5-9ghq-p6cw"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/b10f314add08c8e7585ba4b27d071b07d026ab55",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/b10f314add08c8e7585ba4b27d071b07d026ab55"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9xf5-9ghq-p6cw",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: API tokens stored in plaintext"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46513",
        "datePublished": "2026-07-16T18:14:05.454Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-17T13:58:34.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46512 (GCVE-0-2026-46512)

    Vulnerability from nvd – Published: 2026-07-16 18:15 – Updated: 2026-07-16 18:15
    VLAI
    Title
    Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:15:52.181Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-pxfc-q72v-jh8m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-pxfc-q72v-jh8m"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/36a05ffa2df1d256b6f6f7c3b66ef77ebe3e458a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/36a05ffa2df1d256b6f6f7c3b66ef77ebe3e458a"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2"
            }
          ],
          "source": {
            "advisory": "GHSA-pxfc-q72v-jh8m",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46512",
        "datePublished": "2026-07-16T18:15:52.181Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-16T18:15:52.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46515 (GCVE-0-2026-46515)

    Vulnerability from cvelistv5 – Published: 2026-07-16 18:17 – Updated: 2026-07-16 18:29
    VLAI
    Title
    Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46515",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T18:29:22.501446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T18:29:28.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERM_READ access was sufficient to call fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, and fm_diagnose_trunk, exposing AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup artifact paths, CDR history, arbitrary saved GraphQL query execution, and raw AMI endpoint dumps containing SIP fields such as password, md5_cred, and oauth_secret. This issue is fixed in version 1.6.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:17:14.563Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-q4c4-5cr4-8q47",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-q4c4-5cr4-8q47"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/issues/13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/issues/13"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/issues/25",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/issues/25"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/55ea257d5c24bc01c814a607faa7e76e86b111ec",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/55ea257d5c24bc01c814a607faa7e76e86b111ec"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/b8a8bfc12b564bcb77caef952873b9ffd4a98b00",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/b8a8bfc12b564bcb77caef952873b9ffd4a98b00"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.3"
            }
          ],
          "source": {
            "advisory": "GHSA-q4c4-5cr4-8q47",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46515",
        "datePublished": "2026-07-16T18:17:14.563Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-16T18:29:28.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46512 (GCVE-0-2026-46512)

    Vulnerability from cvelistv5 – Published: 2026-07-16 18:15 – Updated: 2026-07-16 18:15
    VLAI
    Title
    Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:15:52.181Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-pxfc-q72v-jh8m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-pxfc-q72v-jh8m"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/36a05ffa2df1d256b6f6f7c3b66ef77ebe3e458a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/36a05ffa2df1d256b6f6f7c3b66ef77ebe3e458a"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2"
            }
          ],
          "source": {
            "advisory": "GHSA-pxfc-q72v-jh8m",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46512",
        "datePublished": "2026-07-16T18:15:52.181Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-16T18:15:52.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46513 (GCVE-0-2026-46513)

    Vulnerability from cvelistv5 – Published: 2026-07-16 18:14 – Updated: 2026-07-17 13:58
    VLAI
    Title
    Frogman: API tokens stored in plaintext
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(random_bytes(32)) strings in oc_api_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-256 - Plaintext Storage of a Password
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-17T13:58:25.901633Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-17T13:58:34.353Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, Frogman stored API tokens generated by Tools/CreateApiToken.php:33-36 as raw bin2hex(random_bytes(32)) strings in oc_api_tokens, and Frogman.class.php:78 authenticated the X-Frogman-Token header by comparing it with the stored raw value, allowing database read access to recover reusable active tokens at their assigned permission level, including admin. This issue is fixed in version 1.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-256",
                  "description": "CWE-256: Plaintext Storage of a Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:14:05.454Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-9xf5-9ghq-p6cw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-9xf5-9ghq-p6cw"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/b10f314add08c8e7585ba4b27d071b07d026ab55",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/b10f314add08c8e7585ba4b27d071b07d026ab55"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2"
            }
          ],
          "source": {
            "advisory": "GHSA-9xf5-9ghq-p6cw",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: API tokens stored in plaintext"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46513",
        "datePublished": "2026-07-16T18:14:05.454Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-17T13:58:34.353Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46514 (GCVE-0-2026-46514)

    Vulnerability from cvelistv5 – Published: 2026-07-16 18:11 – Updated: 2026-07-16 18:40
    VLAI
    Title
    Frogman: Plaintext passwords and secrets persisted to audit log
    Summary
    Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_reset_password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm_add_extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc_audit_log.detail, allowing any PERM_READ caller with access to fm_audit_search to recover the stored credentials. This issue is fixed in version 1.6.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    mwtcmi frogman Affected: < 1.6.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T18:40:48.863863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T18:40:59.789Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "frogman",
              "vendor": "mwtcmi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_reset_password in Tools/ResetPassword.php:48-53 returned a plaintext password and fm_add_extension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode those responses into oc_audit_log.detail, allowing any PERM_READ caller with access to fm_audit_search to recover the stored credentials. This issue is fixed in version 1.6.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T18:11:11.738Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-3p65-2prr-cfvf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mwtcmi/frogman/security/advisories/GHSA-3p65-2prr-cfvf"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/commit/02203edb613774f265ad8a21d99c4f6cf7de0d4d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/commit/02203edb613774f265ad8a21d99c4f6cf7de0d4d"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.1"
            },
            {
              "name": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mwtcmi/frogman/releases/tag/v1.6.2"
            }
          ],
          "source": {
            "advisory": "GHSA-3p65-2prr-cfvf",
            "discovery": "UNKNOWN"
          },
          "title": "Frogman: Plaintext passwords and secrets persisted to audit log"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46514",
        "datePublished": "2026-07-16T18:11:11.738Z",
        "dateReserved": "2026-05-14T19:12:32.754Z",
        "dateUpdated": "2026-07-16T18:40:59.789Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }