7 matches found
CVE-2025-55449
AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...
CVE-2026-10211
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function normalizerwpath of the file astrbot/core/tools/computertools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly...
CVE-2026-10212
A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astrmainagent of the file astrbot/core/astrmainagent.py. Such manipulation of the argument sessionid leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly availab...
CVE-2026-8754
A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function postfile of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely...
GHSA-F63H-WC26-PMVC AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py
A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function postfile of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely...
CVE-2025-55449
AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...
CVE-2025-55449
AstrBot 3.5.15 is vulnerable to remote code execution via a hardcoded JWT signing key: Advanced_System_for_Text_Response_and_Bot_Operations_Tool. An attacker can forge a valid admin JWT and upload a malicious plugin through /api/plugin/install-upload, leading to arbitrary command execution (e.g.,...