AstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox_CVE-2026-6117

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Basic Information

ID CVE-2026-6117

Source VulDB

Published Apr 12, 2026 at 04:30

Affected Product

Vendor AstrBotDevs

Product AstrBot

Version 4.22.0

Affected Versions AstrBotDevs AstrBot 4.22.0
AstrBotDevs AstrBot 4.22.1

CWE Classification

CWE-265 CWE-264

References

{
    "lastseen": "",
    "description": "A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.",
    "published": "2026-04-12T04:30:12.395Z",
    "modified": "2026-04-12T04:30:12.395Z",
    "type": "cve",
    "title": "AstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/356977\nhttps://vuldb.com/vuln/356977/cti\nhttps://vuldb.com/submit/792653\nhttps://github.com/AstrBotDevs/AstrBot/issues/7168\nhttps://github.com/AstrBotDevs/AstrBot/",
    "id": "CVE-2026-6117",
    "bulletinFamily": "",
    "cwe": [
        "CWE-265",
        "CWE-264"
    ],
    "cvelist": null,
    "sourceData": "AstrBotDevs AstrBot 4.22.0\nAstrBotDevs AstrBot 4.22.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AstrBot",
    "version": "4.22.0",
    "vendor": "AstrBotDevs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}