PT-2026-32150 · Astrbot · Astrbot
Yu_Bao
·
Published
2026-04-12
·
Updated
2026-04-14
·
CVE-2026-6118
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
AstrBot versions up to 4.22.1
Description
A command injection issue exists in AstrBotDevs AstrBot up to version 4.22.1. The
add mcp server function within the astrbot/dashboard/routes/tools.py file, part of the MCP Endpoint component, is affected. Manipulation of the command argument can lead to remote command injection. The exploit has been publicly disclosed.Recommendations
Versions prior to 4.22.1 are recommended.
Exploit
Fix
Special Elements Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astrbot