PatchSiren cyber security CVE debrief
CVE-2026-15500 AstrBotDevs CVE debrief
A server-side request forgery vulnerability has been identified in AstrBotDevs AstrBot up to 4.25.2. The vulnerability affects the function get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the component market_list Endpoint. An attacker can exploit this vulnerability by manipulating the argument custom_registry, leading to server-side request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. This debrief provides an executive overview of the evidence basis, exposure question, likely defender workflow, and priority posture.
- Vendor
- AstrBotDevs
- Product
- AstrBot
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Administrators and users of AstrBotDevs AstrBot up to 4.25.2 should be aware of this vulnerability and take necessary precautions to prevent exploitation. Operators, platform administrators, vulnerability management teams, and security teams should review affected scope and prioritize remediation efforts.
Technical summary
The vulnerability is caused by a weakness in the get_online_plugins function of the astrbot/dashboard/routes/plugin.py file in the market_list Endpoint of AstrBotDevs AstrBot up to 4.25.2. An attacker can manipulate the custom_registry argument to execute a server-side request forgery attack. The attack can be executed remotely, and the exploit has been publicly available. Affected product deployments should be reviewed for exposure, and compensating controls should be considered.
Defensive priority
Low
Recommended defensive actions
- Inventory and verify affected AstrBotDevs AstrBot installations up to 4.25.2
- Apply vendor patches or updates if available
- Implement compensating controls to detect and prevent server-side request forgery attacks
- Monitor for suspicious activity and exception tracking
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-12T12:16:44.413Z and has not been modified since then. The NVD entry is currently Received. The vulnerability has a CVSS score of 2.1 and a severity of LOW. Evidence is limited, and defenders should verify affected AstrBotDevs AstrBot installations up to 4.25.2. Additional verification tasks are needed to confirm exposure.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T12:16:44.413Z and has not been modified since then. The NVD entry is currently Received.