CVE-2026-46515 is a critical security vulnerability in Frogman, a headless PBX control system. Prior to version 1.6.3, the system did not properly restrict access to certain functions, allowing users with PERM_READ access to call sensitive functions and expose sensitive information, including AMI manager secrets, outbound dial PINs, full Asterisk dialplan context, root SSH connection commands, backup arti [truncated]
CVE-2026-46512 is a critical vulnerability in Frogman, a headless PBX control system. Prior to version 1.6.2, the fm_dialplan_apply function accepted template parameters, including greeting, dest, url, extension, code, and file. These parameters were used to write output to extensions_custom.conf without proper sanitization, allowing a PERM_WRITE caller with confirm:true to inject arbitrary Asterisk direc [truncated]