CVE-2026-6117
MEDIUMAstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox
Title source: cnaDescription
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-356977 | AstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox
https://vuldb.com/vuln/356977
Signature, Permissions Required signature
permissions-required
VDB-356977 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/356977/cti
Third Party Advisory third-party-advisory
Submit #792653 | AstrBotDevs AstrBot 4.22.1 Arbitrary Code Execution via Plugin Upload
https://vuldb.com/submit/792653
Exploit exploit
issue-tracking
https://github.com/AstrBotDevs/AstrBot/issues/7168
Product product
https://github.com/AstrBotDevs/AstrBot/
Scores
CVSS v3
6.3
EPSS
0.0022
EPSS Percentile
12.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-264
CWE-265
Status
published
Products (2)
AstrBotDevs/AstrBot
4.22.0
AstrBotDevs/AstrBot
4.22.1
Published
Apr 12, 2026
Tracked Since
Apr 12, 2026