PYSEC-2026-1197

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-1197.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1197
Aliases
Published
2026-07-07T16:03:09.964955Z
Modified
2026-07-07T17:46:22.623874700Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
Details

AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

References

Affected packages

PyPI / astrbot

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.5.22

Affected versions

3.*
3.4.39
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.14
3.5.15
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.22

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-1197.yaml"