CVE-2026-6119

MEDIUM

AstrBotDevs AstrBot API Endpoint post_data.get server-side request forgery

Title source: cna

Description

A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post_data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/356979

[Third Party Advisory] https://vuldb.com/submit/792661

[Exploit] https://github.com/AstrBotDevs/AstrBot/issues/7171

[Product] https://github.com/AstrBotDevs/AstrBot/

[Signature, Permissions Required] https://vuldb.com/vuln/356979/cti

Scores

CVSS v3 6.3

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

AstrBotDevs/AstrBot 4.22.0

AstrBotDevs/AstrBot 4.22.1

Published Apr 12, 2026

Tracked Since Apr 12, 2026