CVE-2026-6118

Source
https://cve.org/CVERecord?id=CVE-2026-6118
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6118.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6118
Published
2026-04-12T04:45:09.857Z
Modified
2026-07-08T08:09:48.440698263Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
AstrBotDevs AstrBot MCP Endpoint tools.py add_mcp_server command injection
Details

A vulnerability was determined in AstrBotDevs AstrBot up to 4.22.1. Impacted is the function addmcpserver of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6118.json",
    "cwe_ids": [
        "CWE-74",
        "CWE-77"
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/astrbotdevs/astrbot

Affected ranges

Type
GIT
Repo
https://github.com/astrbotdevs/astrbot
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "4.22.0"
        },
        {
            "last_affected": "4.22.0"
        },
        {
            "introduced": "4.22.1"
        },
        {
            "last_affected": "4.22.1"
        }
    ]
}

Affected versions

4.*
4.22.0
4.22.1
v4.*
v4.22.0
v4.22.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6118.json"