CVE-2026-8754
published 2026-05-17CVE-2026-8754: A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the…
PriorityP343medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.36%
27.7th percentile
A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astrbot | astrbot | >= 0 < 4.23.6 | 4.23.6 |
| astrbotdevs | astrbot | — | — |
| astrbotdevs | astrbot | — | — |
| astrbotdevs | astrbot | — | — |
| astrbotdevs | astrbot | — | — |
| astrbotdevs | astrbot | — | — |
| astrbotdevs | astrbot | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f63h-wc26-pmvc: A vulnerability was detected in AstrBotDevs AstrBot up to 4
ghsa_unreviewed·2026-05-17
CVE-2026-8754 [LOW] CWE-22 GHSA-f63h-wc26-pmvc: A vulnerability was detected in AstrBotDevs AstrBot up to 4
A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.
GHSA
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py
ghsa·2026-05-17
CVE-2026-8754 [LOW] CWE-22 AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py
A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.
VulDB
AstrBotDevs AstrBot up to 4.23.5 File Upload chat.py post_file filename path traversal
vuldb·2026-05-16
CVE-2026-8754 [CRITICAL] AstrBotDevs AstrBot up to 4.23.5 File Upload chat.py post_file filename path traversal
A vulnerability, which was classified as critical, was found in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal.
This vulnerability is known as CVE-2026-8754. It is possible to launch the attack remotely. Furthermore, an exploit is available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gist.github.com/YLChen-007/054415c2b63e58813328bc879a90c504https://github.com/AstrBotDevs/AstrBot/https://github.com/AstrBotDevs/AstrBot/commit/aaec41e5054569ceaa1113593a34da7568e2d211https://github.com/AstrBotDevs/AstrBot/releases/tag/v4.23.6https://vuldb.com/submit/811172https://vuldb.com/vuln/364381https://vuldb.com/vuln/364381/ctihttps://vuldb.com/submit/811172
2026-05-17
Published