CVE-2026-47157
aiograpi: Unsafe signup challenge path handling
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.
| CWE | CWE-918 |
| Vendor | subzeroid |
| Product | aiograpi |
| Published | Jun 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for subzeroid aiograpi
Be the first to know when new medium vulnerabilities affecting subzeroid aiograpi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
subzeroid / aiograpi
< 0.9.10
References
github.com: https://github.com/subzeroid/aiograpi/security/advisories/GHSA-jh37-x3fv-4x72 github.com: https://github.com/subzeroid/aiograpi/pull/274 github.com: https://github.com/subzeroid/aiograpi/commit/9c24151916beca622e588bfb3167c98711ff744f github.com: https://github.com/subzeroid/aiograpi/releases/tag/0.9.10