CVE-2026-6117

MEDIUM 6.3

AstrBotDevs AstrBot install-upload Endpoint plugin.py install_plugin_upload sandbox

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

12th

A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-265 CWE-264
Vendor	astrbotdevs
Product	astrbot
Published	Apr 12, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for astrbotdevs astrbot

Be the first to know when new medium vulnerabilities affecting astrbotdevs astrbot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

AstrBotDevs / AstrBot

4.22.0 4.22.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/356977 vuldb.com: https://vuldb.com/vuln/356977/cti vuldb.com: https://vuldb.com/submit/792653 github.com: https://github.com/AstrBotDevs/AstrBot/issues/7168 github.com: https://github.com/AstrBotDevs/AstrBot/

Credits

🔍 Yu_Bao (VulDB User) VulDB CNA Team