8 matches found
EUVD-2026-21710
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function installpluginupload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed...
Arbitrary Code Injection
Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Arbitrary Code Injection via the installpluginupload function. An attacker can execute unauthorized code and potentially compromise the application by uploading a crafted file to the affected endpoint...
CVE-2026-6117 AstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function installpluginupload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed...
CVE-2026-6117 AstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function installpluginupload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed...
PT-2026-32149
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install plugin upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed...
CVE-2025-57698
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...
Directory Traversal
Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Directory Traversal via the installpluginupload handler, which parses the filename from the request body and assigns it directly to filepath without validation. An attacker can write arbitrary files t...
GHSA-XRJ9-MW57-J34V AstrBot contains a directory traversal vulnerability
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...