CVE-2026-6984
published 2026-04-25CVE-2026-6984: A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py…
PriorityP431medium4.7CVSS 3.1
AVNACLPRHUINSUCLILAL
EPSS
0.30%
21.5th percentile
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astrbot | astrbot | 0 – 4.22.1 | — |
| astrbotdevs | astrbot | — | — |
| astrbotdevs | astrbot | — | — |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AstrBot has Incomplete Filtering of Special Elements
ghsa·2026-04-25
CVE-2026-6984 [LOW] CWE-791 AstrBot has Incomplete Filtering of Special Elements
AstrBot has Incomplete Filtering of Special Elements
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
VulDB
AstrBotDevs AstrBot up to 4.22.1 Dashboard API t2i.py create_template special elements used in a template engine (Issue 7330)
vuldb·2026-04-24·CVSS 5.1
CVE-2026-6984 [MEDIUM] AstrBotDevs AstrBot up to 4.22.1 Dashboard API t2i.py create_template special elements used in a template engine (Issue 7330)
A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. It has been declared as critical. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine.
This vulnerability is identified as CVE-2026-6984. The attack can be executed remotely. Additionally, an exploit exists.
The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-25
Published