PYSEC-2026-1198

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-1198.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1198
Aliases
Published
2026-07-07T16:03:09.885967Z
Modified
2026-07-07T17:46:22.675181274Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
AstrBot contains a directory traversal vulnerability
Details

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validity of the filename. The variable filepath is then passed as a parameter to the function file.save, so that the file in the request body can be saved to any location in the file system through directory traversal.

References

Affected packages

PyPI / astrbot

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.5.22

Affected versions

3.*
3.4.39
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.14
3.5.15
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.22

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-1198.yaml"