VYPR

PyPI package

astrbot

pkg:pypi/astrbot

Vulnerabilities (6)

  • CVE-2025-55449HigMay 8, 2026
    affected < 3.5.18fixed 3.5.18

    AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

  • CVE-2026-7579HigMay 1, 2026
    affected <= 4.16.0

    A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the att

  • CVE-2026-6984MedApr 25, 2026
    affected <= 4.22.1

    A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a templat

  • CVE-2025-57698Nov 7, 2025
    affected <= 3.5.22

    AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without

  • CVE-2025-57697Nov 7, 2025
    affected <= 3.5.22

    AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without

  • CVE-2025-48957Jun 2, 2025
    affected >= 3.4.4, < 3.5.13fixed 3.5.13

    AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has