Submit #792653: AstrBotDevs AstrBot 4.22.1 Arbitrary Code Execution via Plugin Uploadinfo

TitleAstrBotDevs AstrBot 4.22.1 Arbitrary Code Execution via Plugin Upload
DescriptionAstrBot versions up to and including 4.22.1 allow authenticated users to achieve arbitrary code execution on the server by uploading a malicious plugin ZIP file via the /api/plugin/install-upload endpoint. The uploaded plugin's Python code is dynamically loaded via __import__() without any code signing verification, sandboxing, or content validation, allowing an attacker to execute arbitrary Python code in the context of the AstrBot server process.
Source⚠️ https://github.com/AstrBotDevs/AstrBot/issues/7168
User
 Yu_Bao (UID 89348)
Submission03/30/2026 05:27 (3 months ago)
Moderation04/11/2026 10:50 (12 days later)
StatusAccepted
VulDB entry356977 [AstrBotDevs AstrBot up to 4.22.1 install-upload Endpoint plugin.py install_plugin_upload File sandbox]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!