Description
LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4
Issue Tracking x_refsource_misc
https://github.com/langbot-app/LangBot/pull/1691
Release Notes x_refsource_misc
https://github.com/langbot-app/LangBot/releases/tag/v4.3.5
Scores
CVSS v4
8.6
EPSS
0.0037
EPSS Percentile
28.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-23
CWE-434
Status
published
Products (1)
langbot-app/LangBot
>= 4.1.0, < 4.3.5
Published
Oct 02, 2025
Tracked Since
Feb 18, 2026