PYSEC-2026-2337

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aiograpi/PYSEC-2026-2337.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2337
Aliases
Published
2026-07-13T15:19:11.646293Z
Modified
2026-07-13T16:31:35.396181513Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
aiograpi: Unsafe signup challenge path handling
Details

aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended Instagram host with the client\'s existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.

References

Affected packages

PyPI / aiograpi

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.10

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.1.1
0.2.0
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/aiograpi/PYSEC-2026-2337.yaml"