CVE-2021-36711

CRITICAL

Octobot < 0.4.4 - Unrestricted File Upload

Title source: rule

Description

WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.

Exploits (1)

exploitdb WORKING POC

by Samy Younsi · pythonwebappsmultiple

https://www.exploit-db.com/exploits/50979

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/167780/OctoBot-WebInterface-0.4.3-Remote-Code-Execution.html

[Third Party Advisory] https://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.md

[Exploit, Third Party Advisory] https://github.com/Drakkar-Software/OctoBot/issues/1966

[Exploit, Third Party Advisory] https://github.com/Nwqda/Sashimi-Evil-OctoBot-Tentacle

[Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/167721/Sashimi-Evil-OctoBot-Tentacle.html

[Vendor Advisory] https://www.octobot.online/

Scores

CVSS v3 9.8

EPSS 0.4954

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

octobot/octobot < 0.4.4

pypi/OctoBot 0 - 0.4.4PyPI

Published Jul 16, 2022

Tracked Since Feb 18, 2026