172 matches found
AstrBot <= 4.22.1 - Command Injection
AstrBot versions up to and including 4.22.1 contain a command injection vulnerability in the MCP server configuration endpoint. The /api/tools/mcp/add endpoint accepts arbitrary command and args fields that are passed directly to subprocess execution during the connection test, without any...
CVE-2026-16077
A vulnerability was found in AstrBotDevs AstrBot up to 4.25.5. Impacted is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py of the component Filesystem Computer-Use Tool. Performing a manipulation results in link following. The attack is only possible with local...
CVE-2026-16077
AstrBotDevs AstrBot up to 4.25.5 is affected by a vulnerability in the function _normalize_rw_path within astrbot/core/tools/computer_tools/fs.py of the Filesystem Computer-Use Tool. The issue arises from a manipulation that enables link following, with exploitation possible only from local acces...
EUVD-2026-45356
A vulnerability was found in AstrBotDevs AstrBot up to 4.25.5. Impacted is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py of the component Filesystem Computer-Use Tool. Performing a manipulation results in link following. The attack is only possible with local...
CVE-2026-16076
A vulnerability has been found in AstrBotDevs AstrBot up to 4.25.5. This issue affects the function OpenApiRoute.chatsend of the file astrbot/dashboard/routes/openapi.py of the component API. Such manipulation of the argument Username leads to authentication bypass by spoofing. It is possible to...
CVE-2026-16076
AstrBot up to version 4.25.5 is affected by CVE-2026-16076. The vulnerability occurs in OpenApiRoute.chat_send (astrbot/dashboard/routes/open_api.py) where manipulation of the Username argument leads to authentication bypass by spoofing. The issue is exploitable remotely, the exploit is publicly ...
EUVD-2026-45355
A vulnerability has been found in AstrBotDevs AstrBot up to 4.25.5. This issue affects the function OpenApiRoute.chatsend of the file astrbot/dashboard/routes/openapi.py of the component API. Such manipulation of the argument Username leads to authentication bypass by spoofing. It is possible to...
CVE-2026-16075
A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.getchatsessions of the file astrbot/dashboard/routes/openapi.py of the component session-listing Endpoint. This manipulation of the argument Username causes authorization bypass. It is...
CVE-2026-16075
CVE-2026-16075 affects AstrBotDevs AstrBot up to 4.25.5. The flaw is in the function OpenApiRoute.get_chat_sessions (file astrbot/dashboard/routes/open_api.py) of the session-listing Endpoint. By manipulating the Username argument, an authorization bypass is possible, and the issue can be exploit...
EUVD-2026-45353
A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.getchatsessions of the file astrbot/dashboard/routes/openapi.py of the component session-listing Endpoint. This manipulation of the argument Username causes authorization bypass. It is...
PT-2026-60919
A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.get chat sessions of the file astrbot/dashboard/routes/open api.py of the component session-listing Endpoint. This manipulation of the argument Username causes authorization bypass. It ...
CVE-2026-16074 AstrBotDevs AstrBot Plugin Update plugin.py update_all_plugins server-side request forgery
A vulnerability was detected in AstrBotDevs AstrBot up to 4.25.2. This affects the function updateplugin/updateallplugins of the file astrbot/dashboard/routes/plugin.py of the component Plugin Update Handler. The manipulation of the argument downloadurl/downloadurls/proxy results in server-side...
CVE-2026-16074
CVE-2026-16074 affects AstrBot up to version 4.25.2. The vulnerability lies in the function update_plugin/update_all_plugins (file astrbot/dashboard/routes/plugin.py) where manipulation of the arguments download_url/download_urls/proxy enables server-side request forgery (SSRF). Exploitation may ...
EUVD-2026-45315
A vulnerability was detected in AstrBotDevs AstrBot up to 4.25.2. This affects the function updateplugin/updateallplugins of the file astrbot/dashboard/routes/plugin.py of the component Plugin Update Handler. The manipulation of the argument downloadurl/downloadurls/proxy results in server-side...
CVE-2026-16073
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.texttoimage/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...
CVE-2026-16073
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-16073 AstrBotDevs AstrBot T2I Feature base.py NetworkRenderStrategy.render cross site scripting
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.texttoimage/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...
EUVD-2026-45244
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.texttoimage/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...
PT-2026-60836
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.text to image/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...
CVE-2026-15501
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function ToolsRoute.testmcpconnection of the file astrbot/dashboard/routes/tools.py of the component MCP Test Endpoint. The manipulation of the argument mcpserverconfig.url leads to...