PatchSiren

AstrBotDevs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW AstrBotDevs CVE published 2026-07-12

CVE-2026-15500

A server-side request forgery vulnerability has been identified in AstrBotDevs AstrBot up to 4.25.2. The vulnerability affects the function get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the component market_list Endpoint. An attacker can exploit this vulnerability by manipulating the argument custom_registry, leading to server-side request forgery. The attack can be executed remotel [truncated]

LOW AstrBotDevs CVE published 2026-07-12

CVE-2026-15499

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. The vulnerability is located in the Scheduled Task Handler component, specifically in the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py. The manipulation of the argument payload[note] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the publ [truncated]

LOW AstrBotDevs CVE published 2026-06-01

CVE-2026-10212

A low-severity authorization bypass vulnerability in AstrBot 4.24.2 allows remote attackers to bypass authorization controls by manipulating the session_id argument in the astr_main_agent function of astrbot/core/astr_main_agent.py. The CVSS 4.0 score of 2.1 reflects limited privileges required and low impact on confidentiality, integrity, and availability. The exploit has been publicly disclosed via a Gi [truncated]