ByteOS Network

CVE Vulnerability Details :

CVE-2026-8754

PUBLISHED

More Info Official Page

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-17 May, 2026 | 12:15

Updated At-18 May, 2026 | 20:05

▼CVE Numbering Authority (CNA)

AstrBotDevs AstrBot File Upload chat.py post_file path traversal

A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 4.23.6 is recommended to address this issue. The patch is identified as aaec41e5054569ceaa1113593a34da7568e2d211. You should upgrade the affected component.

Affected Products

Vendor

AstrBotDevs

Product

AstrBot

CPEs

cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*

Modules

File Upload Handler

Versions

Affected

4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.23.5

Unaffected

4.23.6

Problem Types

Type	CWE ID	Description
CWE	CWE-22	Path Traversal

Type: CWE

CWE ID: CWE-22

Description: Path Traversal

Metrics

Version	Base score	Base severity	Vector
4.0	5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
3.0	6.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
2.0	6.5	N/A	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Version: 4.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Version: 3.0

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Version: 2.0

Base score: 6.5

Base severity: N/A

Vector:

AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Credits

reporter

Eric-a (VulDB User)

Timeline

Event	Date
Advisory disclosed	2026-05-16 00:00:00
VulDB entry created	2026-05-16 02:00:00
VulDB entry last update	2026-05-16 19:39:03

Event: Advisory disclosed

Date: 2026-05-16 00:00:00

Event: VulDB entry created

Date: 2026-05-16 02:00:00

Event: VulDB entry last update

Date: 2026-05-16 19:39:03

References

Hyperlink	Resource
https://vuldb.com/vuln/364381	vdb-entry technical-description
https://vuldb.com/vuln/364381/cti	signature permissions-required
https://vuldb.com/submit/811172	third-party-advisory
https://gist.github.com/YLChen-007/054415c2b63e58813328bc879a90c504	exploit
https://github.com/AstrBotDevs/AstrBot/commit/aaec41e5054569ceaa1113593a34da7568e2d211	patch
https://github.com/AstrBotDevs/AstrBot/releases/tag/v4.23.6	patch
https://github.com/AstrBotDevs/AstrBot/	product

Hyperlink: https://vuldb.com/vuln/364381

Resource:

vdb-entry

technical-description

Hyperlink: https://vuldb.com/vuln/364381/cti

Resource:

signature

permissions-required

Hyperlink: https://vuldb.com/submit/811172

Resource:

third-party-advisory

Hyperlink: https://gist.github.com/YLChen-007/054415c2b63e58813328bc879a90c504

Resource:

exploit

Hyperlink: https://github.com/AstrBotDevs/AstrBot/commit/aaec41e5054569ceaa1113593a34da7568e2d211

Resource:

patch

Hyperlink: https://github.com/AstrBotDevs/AstrBot/releases/tag/v4.23.6

Resource:

patch

Hyperlink: https://github.com/AstrBotDevs/AstrBot/

Resource:

product

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

References

Hyperlink	Resource
https://vuldb.com/submit/811172	exploit

Hyperlink: https://vuldb.com/submit/811172

Resource:

exploit

Affected Products

Affected

Unaffected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References