Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
AstrBot: Unsecured File Upload in Plugin Installation
CVE-2026-6117
Summary
AstrBot's plugin installation feature allows an attacker to upload malicious files without proper validation, which can lead to a security breach. This affects version 4.22.1 and earlier. To protect your system, update to the latest version or consider a temporary mitigation until a patch is available.
Original title
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload E...
Original description
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-264
Permissions, Privileges, and Access Controls
CWE-265
Published: 12 Apr 2026 · Updated: 12 Apr 2026 · First seen: 12 Apr 2026